research report 029 › research › rrpdf › rr029.pdf · research report 029. hse health &...
TRANSCRIPT
HSE Health & Safety
Executive
Proposal for requirements for lowcomplexity safety related systems
Prepared by RM Consultants Limited for the Health and Safety Executive 2002
RESEARCH REPORT 029
HSE Health & Safety
Executive
Proposal for requirements for lowcomplexity safety related systems
RM Consultants Limited Genesis Centre
Birchwood Science Park Risley
Warrington Cheshire WA3 7BH
United Kingdom
A framework is proposed for the application of IEC61508 to “low complexity” systems such as simple relay based interlock arrangements commonly found in machinery safeguarding applications.
A scheme for architectural constraints is proposed which limits the Safety Integrity Levels (SILs) which can be claimed for low complexity systems of various degrees of hardware fault tolerance. The scheme is consistent with the principles of IEC 61508 while simplifying the requirements.
Comparisons of the numerically and qualitatively assessed SILs on the basis of annual proof testing, annual functional testing only, and taking into account CCF are included for 18 example circuits. The proposed scheme has been shown to be consistent with the achievement of the target failure rate and PFD of the relevant SIL for “low complexity” systems.
In order to simplify the process of reliability analysis to satisfy the requirements for hardware reliability, conservative values based on generic reliability data are proposed for particular components.
Requirements for action on failure detection and for the avoidance of systematic failures are also proposed based on IEC 61508 but tailored for low complexity systems.
The examples in this report are taken from the machinery sector but the principles described will also be applicable in other sectors.
This report and the work it describes were funded by the Health and Safety Executive (HSE). Its contents, including any opinions and/or conclusions expressed, are those of the author alone and do not necessarily reflect HSE policy.
HSE BOOKS
ii
© Crown copyright 2002
First published 2002
ISBN 0 7176 2576 1
All rights reserved. No part of this publication may bereproduced, stored in a retrieval system, or transmitted in anyform or by any means (electronic, mechanical, photocopying,recording or otherwise) without the prior written permission ofthe copyright owner.
Applications for reproduction should be made in writing to: Licensing Division, Her Majesty's Stationery Office, St Clements House, 2-16 Colegate, Norwich NR3 1BQ or bye-mail to [email protected]
l
Glossary of Symbols, Acronyms and Abbreviations
CCF E/E/PE EMI FMEA IEC I/P MTTF MTTR O/P PFD SFF SIL SPST
Common Cause Failure Electrical/Electronic/Programmable Electronic Electromagnetic Interference Failure Modes and Effects Analysis International Electrotechnical Commission Input Mean Time to Failure Mean Time to Repair Output Probability of Failure on Demand Safe Failure Fraction Safety Integrity Level (as defined in IEC 61508) Single Pole Single Throw (switch)
Symbols used in calculations
PFDS Probability of Failure on Demand of the Sensor element of a channel of protection PFDLS Probability of Failure on Demand of the Logic Solver element of a channel of
protection PFDFE Probability of Failure on Demand of the Final Element of a channel of protection PFDSC Probability of Failure on Demand of a Single Channel of protection PFD1oo2 Probability of Failure on Demand of a 1 out of 2 redundancy protection system PFD1oo3 Probability of Failure on Demand of a 1 out of 3 redundancy protection system T Interval between proof tests b Common Cause Failure Beta Factor
Failure rate ldu Rate of dangerous, undetected failures
iii
iv
FOREWORD
HSE recently commissioned research into how “low complexity” systems based upon electromechanical devices may be designed in a way that complies with the IEC 61508 standard. The “low complexity” systems considered are used in interlocking schemes similar to those comm onl y f ound in machi ner y saf eguar ding applicati ons.
This report resulted from this work and it presents a methodology for the design, integration and validation of low complexity electrical/electronic/ programmable electronic safety-related systems.
Whilst the report is the opinion of the author and does not necessarily reflect HSE policy, HSE offers this work as an illustration of a principled approach for the design, integration and validation of low complexity E/E/PE safety-related systems in terms of:
- Probability of dangerous random hardware failures; - Measures to prevent (or control) systematic failures; and - Architectural constraints on hardware integrity.
The methodology presented is supported by a series of model systems where the safety integrity level (SIL) and other requirements (e.g. proof test interval, safe failure fraction, etc.) have been pre-determined by applying the methodology to typical machinery guard interlocking schemes.
HSE invites comments on the practicality and effectiveness of the recommended approach to achieving the above goals, and on any other significant aspect of the safety integrity of low complexity safety-related systems that is not addressed by this work.
Please send your comments by 30 April 2003 to
Eur Ing S FrostTechnology DivisionElectrical and Control Systems UnitMagdalen HouseStanley PrecinctBootleMerseysideL20 3QZ
v
vi
CONTENTS Page No.
1.0 INTRODUCTION 1
2.0 PROPOSED FRAMEWORK FOR ARCHITECTURAL CONSTRAINTS 2 2.1. Data Requirements 7
2.2. Fault Exclusions 8
3.0 VALIDATION OF PROPOSED ARCHITECTURAL CONSTRAINTS 10 3.1. Validation Using Generic Data 10
3.2. Application to Actual Architectures 13
4.0 PROPOSED REQUIREMENTS FOR HARDWARE RELIABILITY 14 4.1. Generic Failure Rates 14
5.0 PROPOSED REQUIREMENTS FOR ACTION ON FAILURE DETECTION 15
6.0 PROPOSED REQUIREMENTS FOR DEFENCES AGAINST SYSTEMATICFAILURE 15
7.0 REQUIREMENTS FOR PROVEN-IN-USE 19
8.0 REFERENCES 20
APPENDIX A: DERIVATION OF COMPONENT FAILURE RATES A1
APPENDIX B: PFD OF A REDUNDANT SYSTEM SUBJECT TO ONLY FUNCTIONAL TESTING B1
APPENDIX C: CALCULATION OF FAILURE MEASURES AND COMPARISON WITH ARCHITECTURAL CONSTRAINTS FOR MACHINERY GUARDING CIRCUITS C1
APPENDIX D: FAILURE MODES OF ELECTRICAL / ELECTRONIC COMPONENTS FOR LOW COMPLEXITY E/E/PES AND CONSERVATIVE VALUES OF FAILURE RATE D1
vii
viii
1.0 INTRODUCTION
IEC 61508 [Reference 1] defines requirements for systems to achieve various Safety
Integrity Levels (SILs). SILs are defined in terms of Frequency of Dangerous Failure (for
continuously operating control systems or protection systems subjected to a high demand
rate) or Probability of Failure on Demand (PFD) (e.g for protection systems subjected to a
low demand rate).
The numerical definitions of the SILs are as follows:
SAFETY
INTEGRITY
LEVEL
DEMAND MODE OF
OPERATION
(Probability of failure to perform
its design function on demand)
CONTINUOUS / HIGH DEMAND
MODE OF OPERATION
(Probability of a dangerous failure
per year)
4 ³10-5 to <10-4 ³10-5 to <10-4
3 ³10-4 to <10-3 ³10-4 to <10-3
2 ³10-3 to <10-2 ³10-3 to <10-2
1 ³10-2 to <10-1 ³10-2 to <10-1
TABLE 1: DEFINITION OF SAFETY INTEGRITY LEVELS (SILS)
Reference 1 gives guidance on the achievement of the above SILs based on:
· Requirements for hardware safety integrity comprising:
o The architectural constraints on hardware safety integrity and
o The requirements for the probability of dangerous random hardware failures
· Requirements for systematic safety integrity comprising:
o The requirements for the avoidance of failures and the requirements for the
control of systematic faults or
o Evidence that the equipment is proven in use.
· The requirements for system behaviour on detection of a fault.
1
The architectural constraints impose limits on the SILs which can be claimed for particular
architectures. These limits may result in lower SILs than are indicated by hardware
reliability calculations. The limits are intended to allow for:
· Uncertainties in the data.
· Systematic failures.
The detailed requirements under each of the above general categories are applicable to all
Electrical/Electronic/Programmable Electronic (E/E/PE) safety related systems and are
therefore sufficiently detailed and comprehensive to cover complex programmable systems.
The guidance could therefore be considered overly complex and overly restrictive for
simple, generally non-programmable “low complexity” systems which are defined in
IEC61508 as follows:
“E/E/PE safety-related systems in which:
· the failure modes of each individual component are well defined; and
· the behaviour of the system under fault conditions can be completely
determined.”
These requirements will often be satisfied by systems based on relay logic as are commonly
used in machinery safeguarding applications.
This report proposes a simplified scheme for the application of the IEC 61508 requirements
to low complexity systems.
2.0 PROPOSED FRAMEWORK FOR ARCHITECTURAL CONSTRAINTS
Consider a typical low complexity safeguarding system:
I/
I/
Output Device
P Device 1
P Device 2
Logic
Figure 1. Schematic Block Diagram of Simple Safeguarding System
2
In IEC 61508, each of the above blocks is considered to be a subsystem and the system SIL
requirement is met by utilising subsystems of an adequate (equivalent or higher) SIL. The
subsystems must meet the Reliability, Architectural Constraints, Systematic Failure and
Behaviour on Fault Detection requirements for that SIL.
The architectural constraints on the SIL which can be claimed for subsystems performing a
safety function are specified by Tables 2 and 3 in Part 2 of IEC 61508 which are reproduced
below:
Safe failure
fraction
Hardware fault tolerance (see Note 2)
0 1 2
< 60 % SIL1 SIL2 SIL3
60 % - < 90 % SIL2 SIL3 SIL4
90 % - < 99 % SIL3 SIL4 SIL4
> 99 % SIL3 SIL4 SIL4
NOTE 1 See IEC61508-2 7.4.3.1.1 to 7.4.3.1.4 for details on interpreting this table. NOTE 2 A hardware fault tolerance of N means that N+1 faults could cause a loss of the
safety function. NOTE 3 See IEC61508-2 annex C for details of how to calculate safe failure fraction.
TABLE 2: IEC 61508 ARCHITECTURAL CONSTRAINTS FOR TYPE A SAFETY
RELATED SUBSYSTEMS
Safe failure
fraction
Hardware fault tolerance (see Note 2)
0 1 2
< 60 % Not allowed SIL1 SIL2
60 % - < 90 % SIL1 SIL2 SIL3
90 % - < 99 % SIL2 SIL3 SIL4
> 99 % SIL3 SIL4 SIL4
NOTE 1 See IEC61508-2 7.4.3.1.1 to 7.4.3.1.4 for details on interpreting this table. NOTE 2 A hardware fault tolerance of N means that N+1 faults could cause a loss of the
safety function. NOTE 3 See IEC61508-2 annex C for details of how to calculate safe failure fraction.
TABLE 3: IEC 61508 ARCHITECTURAL CONSTRAINTS FOR TYPE B SAFETY
RELATED SUBSYSTEMS
The requirements for subsystems of Type A are, in accordance with IEC 61508:
3
“A subsystem … can be regarded as type A if, for the components required to achieve the
safety function
a) the failure modes of all constituent components are well defined; and
b) the behaviour of the subsystem under fault conditions can be completely determined;
and
c) there is sufficient dependable failure data from field experience to show that the
claimed rates of failure for detected and undetected dangerous failures are met.”
Requirements (a) and (b) are identical to those defined for low complexity systems above.
Therefore, if Requirement (c) for reliable failure data can be satisfied, the subsystems may
be considered to be Type A. The rates of failure for detected and undetected dangerous
failures can be ascertained in one of two ways:
(a) By the availability of detailed data of adequate quality which differentiates between
different (safe or unsafe) failure modes or;
(b) By carrying out a Failure Modes and Effects Analysis (FMEA).
The meaning of “detailed data of adequate quality” is discussed further in Section 2.1.
It is not an onerous procedure to carry out an FMEA on a low complexity system and it is
proposed in this report that a properly conducted FMEA should be considered as one means
of meeting Requirement (c) for dependable data.
In some cases, components and subsystems may have no reasonably foreseeable dangerous
failure modes. For example, it may not be credible that the contacts of an ultimate series
limit switch on a crane could stick closed to the extent that the contacts would not open
under the force of the crane. In such cases, the failure mode may be excluded from
consideration. Further examples of failure mode exclusions are discussed in Section 2.2.
If Requirement (c) cannot be satisfied by the availability of failure mode data, FMEA, or on
the basis of engineering judgement as above, then strictly speaking, Table 3 for Type B
4
components should be used. However, it is proposed that, for low complexity systems,
Table 2 for Type A components may be used provided:
i. Conservative data is used in the Hardware Reliability calculation and;
ii. A SFF of < 60% is assumed when applying Table 2.
In addition, it is advisable to carry out an analysis to determine the sensitivity of the
assessed SIL to the reliability data used.
In order to facilitate the estimation of SFF for low complexity systems by FMEA where
dependable data are not available or to help satisfy (i) above, some conservatively derived
component failure rate and failure mode data is presented in Appendix D of this report.
The above procedure for hardware reliability analysis and the application of architectural
constraints is summarised in the flowchart, Figure 2.
5
Start
No
Yes
Yes
No
Dependable failure mode failure rate data available?*
Use conservative generic data from Appendix D or elsewhere
FMEA carried out?
Carry out hardware reliability analysis
Apply architectural constraints from Table 2
using known SFF
Apply architectural constraints from Table 2
assuming SFF < 60%
End
* i.e. Failure rate data which distinguishes between safe and unsafe modes of failure.
Figure 2. Process for Hardware Reliability Analysis and Application of Architectural
Constraints for Low Complexity Systems
6
2.1. Data Requirements
(Note. This section refers to subsystem data for consistency with IEC 61508. It is recognised, however, that in
low complexity systems, a subsystem may be a single component, e.g. a limit switch, a relay or a contactor.)
One of the factors to be taken into account in the framework for architectural constraints
proposed above is the availability or otherwise of dependable data for the failure rate or
failure probability of the subsystems under consideration. This section discusses the
requirements for data to be considered “dependable”.
IEC 61508 sets requirements for evidence if a subsystem is to be considered “proven in
use”. The requirements for dependable data are considered to be similar, as far as they
apply to low complexity systems and excluding those which relate to systematic failure
avoidance, and these are summarised below:
1. There must be confidence that all failures of the population have been identified and
recorded. This is particularly important for undetected or covert failure modes of
protective systems which only operate if a demand is placed upon them or by a
properly planned and executed proof test. In this case, the results of proof testing
must be recorded.
2. The data should come from a source which puts no less stress on the subsystem than
the target application with respect to:
a. Frequency of operation
b. Environmental conditions
c. Electrical and mechanical stress etc.
3. The data collection must differentiate between different failure modes to the extent
required to derive the Safe Failure Fraction.
4. There must be sufficient operating time to support the claimed failure rate to an
adequate degree of confidence. As a minimum, sufficient operating time is required
to establish the claimed failure rate to a single sided lower confidence limit of at
least 70%. An operational time of any individual subsystem of less than one year
7
shall not be considered as part of the total operational time in the statistical analysis.
(A discussion on confidence limits is given in Reference 4.)
The above requirements for data to be considered dependable are difficult to meet in
practice and are unlikely to be satisfied directly by generic data sources (e.g. MIL-HDBK-
217, Reference 5) or manufacturers’ data which often do not quote failure modes. Such data
on individual components, applied with care and conservatively, is however acceptable for
use in reliability analysis by FMEA.
For low complexity systems, it is not always necessary that the actual application from
which the data is derived be similar in all respects to the target application. For example, if
the item considered is a relay, the actual logic operations being carried out are of no account
but the physical environment and mode and frequency of operation are important (e.g.
whether the relay is normally energised, contacts required to open or close on demand,
frequency of cycling etc.). However, in many cases, for example the “wet end” components
of an instrumentation system in the process industry, the environment is likely to be very
different from that from which generic data is derived. In such cases, data from a similar
application or generic data modified by suitable environment factors is required.
2.2. Fault Exclusions
It may be acceptable to argue on the basis of engineering judgement that certain failure
modes of a subsystem or component are not credible. If the failure modes in question are
the only unsafe failure modes of the device, then they may be excluded from consideration
in the calculation of hardware reliability and the application of architectural constraints.
Annex D of Reference 3 lists failure modes for various types of electrical items which may
be excluded from consideration and, where applicable, the conditions which apply to the
exclusion.
In other cases, it may be possible to design the system to detect unsafe failure modes with a
high degree of confidence using such techniques as:
· dynamic operation (the system reverts to a safe state unless pulses are generated
continuously);
8
· continuous monitoring of an analogue signal for example to detect out of range
values indicative of sensor failure;
· loop continuity test by standing current;
· dynamic self testing (e.g. safety relay).
Again, in the above cases, certain failure modes may be excluded from consideration in the
reliability analysis and the architectural constraints, given an adequate technical justification
(which might come out of FMEA for example).
9
3.0 VALIDATION OF PROPOSED ARCHITECTURAL CONSTRAINTS
In order to validate the above, a number of configurations of typical low complexity systems
have been assessed using generic data in order to demonstrate that they achieve at least the
SIL levels appropriate to their architecture.
3.1. Validation Using Generic Data
Appendix A derives some failure rate values for the most commonly used devices in low
complexity safety related systems in the machinery sector, assuming proper device selection
for duty and rating, installation and maintenance. These are shown in Table 4 below:
DEVICE FAILURE MODE FAILURE RATE
l(y-1)
Limit switch Single contact fails to open
or close on demand due to
contact or mechanical failure
1.4 x 10-1
Limit switch, positively
opening on demand
Single contact fails to open
on demand due to contact or
mechanical failure
3.4 x 10-3
Relay Single contact fails to open
or close on demand due to
contact or mechanical failure
1.7 x 10-3
Contactor Three phase ac contacts fail
to open on demand due to
contact or mechanical failure
5.5 x 10-3
TABLE 4: GENERIC DEVICE FAILURE RATES
A simple interlocking circuit is considered, comprising a sensor (limit switch, positively
opening on demand), logic solver (single relay) and final element (contactor) which stops a
10
motor (or prevents a motor from starting) if a guard is not in place. The PFD is assessed
below for a sample of Hardware Fault Tolerance 0 and 1 architectures assuming that a full
proof test is carried out annually. In systems with redundancy, the proof test is assumed to
check that all sensors, logic solvers and final elements are working.
A schematic of a possible implementation of a single channel system is shown in Figure 3.
For a single element:
PFD = lDUT/2
where lDU = Dangerous undetected failure rate
T = Interval between proof tests = 1 year.
Hence, applying the failure rates from Table 3:
PFD for the Sensor element, PFDS = 1.7 x 10-3
PFD for the Logic Solver, PFDLS = 8.5 x 10-4
PFD for the Final Element, PFDFE = 2.8 x 10-3
By summation, the PFD for the complete single channel is:
PFDSC = PFDS + PFDLS + PFDFE = 5.3 x 10-3
For systems with 1 out of 2 redundancy (Hardware Fault Tolerance = 1) the system PFD is
given by:
PFD1oo2 = 4/3 PFDSC2
For systems with 1 out of 3 redundancy (Hardware Fault Tolerance = 2) the system PFD is
given by:
11
PFD1oo3 = 2 PFDSC3
Common cause failures are included in the assessment below assuming beta factors of 1%,
5% and 10%. (To simplify the formulae, common cause failures are assumed to be added to
the total element failure rates rather than being part of the total failure rates as is
conventional. This has little effect on the calculated numbers.)
CONFIGURATION FORMULA FOR PFD SYSTEM PFD Architectural
Constraint
(Table 2)b=1% b=5% b=10%
Case 1, Hardware Fault Tolerance 0
S1 LS1 FE1 PFDSC = PFDS + PFDLS + PFDFE 5.3x10-3
(SIL 2)
SIL 1
(PFD³10-2 to
<10-1)
Case 2, Hardware Fault Tolerance 1 S1 LS1 FE1
S2 LS2 FE2
4/3 PFDSC 2 + b PFDSC 9.0 x 10-5
(SIL 4)
3.0 x 10-4
(SIL 3)
5.7 x 10-4
(SIL 3)
SIL 2
(PFD³10-3 to
<10-2)
Case 3, Hardware Fault Tolerance 1
S1 LS1 FE1
S2 LS2 FE2
4/3 PFDS 2 +4/3 PFDLS
2 + 4/3
PFDFE 2 + b PFDSC
6.8 x 10-5
(SIL 4)
2.8 x 10-4
(SIL 3)
5.5 x 10-4
(SIL 3)
SIL 2
(PFD³10-3 to
<10-2)
Case 4, Hardware Fault Tolerance 2
S1 LS1 FE1
S2 LS2 FE2
S3 LS3 FE3
2 PFDSC 3 + b PFDSC 5.3 x 10-5
(SIL 4)
2.7 x 10-4
(SIL 3)
5.3 x 10-4
(SIL 3)
SIL 3
(PFD³10-4 to
<10-3)
TABLE 5: PFDs FOR VARIOUS CONFIGURATIONS, TAKING INTO ACCOUNT
CCF
Since only generic data has been used and no FMEA carried out, it is appropriate to apply
the architectural constraints of Table 2 assuming a SFF of <60%. It can be seen that, except
in Case 4 with b = 5% and 10%, the SIL is constrained by the architecture to at least one
level lower than would be indicated by the reliability analysis alone. (In Case 4 with b = 5%
and 10%, the CCF contribution constrains the calculated PFD to the same SIL as the
architectural constraint.) The SIL assessment therefore introduces a comfortable margin of
12
conservatism to allow for the uncertainty in the data resulting from the absence of detailed
analysis, e.g. by FMEA. The use of Table 3, which would result in even more restriction, is
considered overly conservative. If a higher SFF can be justified by reliable field data or
detailed analysis by FMEA, the architectural constraints would be relaxed and consequently
the SIL assessment would depend to a greater extent on the reliability assessment. The
above discussion suggests that the architectural constraints of Table 2 introduce a
reasonable, but not unduly restrictive, degree of conservatism.
3.2. Application to Actual Architectures
Appendix C considers 18 circuits which are in actual use for machinery safeguarding. For
each circuit, the SIL imposed by the architectural constraints of Table 2 is derived, assuming
a SFF of<60%. Tables C2 to C19 in Appendix C list the cutsets for each circuit (including
Common Cause Failures (CCFs)). If the cutset list contains any single unrevealed failures
(i.e. hardware fault tolerance = 0), from Table 2, the architectural constraint is SIL1. For a
SIL2 constraint, the cutset list must not contain any single unrevealed failure events. The
derived SIL constraints are presented in Table C1. (Note that single CCFs listed in the
cutsets are not treated as single failures since CCFs are by definition multiple failures.)
The PFD/Frequency of Dangerous Failure of each circuit is assessed using the data derived
in Appendix A and assuming a yearly proof test with Common Cause Failure beta factor
values of 1%, 5% and 10%. The circuits are also assessed assuming only a yearly functional
test. The numerically assessed SIL levels for each circuit, for both PFD and frequency of
dangerous failure, are based on Table 1. These SIL levels are presented in Table C1 for
comparison with the proposed architectural constraints of Table 2.
It can be seen from Table C1 that, in all cases, applying the architectural constraint results in
the same or a lower SIL as compared to that calculated from the failure rate or PFD, with the
most severe constraints of up to two levels being at the higher calculated SILs. Thus the
“default” architectural constraint (SFF<60%) has a relatively small effect at the lower SILs
but an increasingly important effect as higher SILs are required. This is consistent with the
need to allow for uncertainties in the reliability data and systematic failures at the higher SIL
levels.
13
If a SFF better than 60% can be demonstrated from dependable data or from FMEA, then
the architectural constraints will be relaxed by up to 2 levels. In most cases, this will allow a
higher SIL to be claimed. The scheme therefore meets the requirement of allowing a higher
SIL if there is adequate justification.
Appendix C also demonstrates that functional testing of machinery interlock circuits often
results in lower SILs compared to cases where full proof testing is performed.
4.0 PROPOSED REQUIREMENTS FOR HARDWARE RELIABILITY
The requirements for estimating the probability of failure of safety functions due to random
hardware failures are fundamentally the same as in IEC 61508, i.e. analysis should be
undertaken to demonstrate a probability of failure equal to or better than the target failure
measure.
If dependable data for the failure modes of interest of the exact type of each component part
of the system are available from a similar application operating in a similar environment, the
hardware reliability analysis can be carried out as described in IEC 61508. If specific data
are not available, conservative generic data may be used for the hardware reliability
analysis.
4.1. Generic Failure Rates
Low complexity systems in the machinery sector are likely to comprise a limited number of
devices e.g.
· Limit switches
· Relays
· Contactors
Data for some such devices has been derived in Appendix A. The data is valid only if
devices are properly selected for the required duty and rating and properly installed and
maintained.
14
Appendix D presents a list of some of the components likely to be found in low complexity
systems. The list is based on the component failure mode lists in Reference 3. For each
component, a conservative value of failure rate is given which can be shown by reference to
generic data to be rarely exceeded.
Appendix D also lists potential failure modes of the components which should be considered
in the reliability analysis along with a suggested value for the percentage of the total failure
rate which applies to that failure mode (Failure Mode Ratio). Those failure modes marked
with an asterisk in Appendix D can be effectively designed out of the system and, given
adequate design, need not be considered (see Reference 3, Table D.5 for guidance on the
necessary design features).
5.0 PROPOSED REQUIREMENTS FOR ACTION ON FAILURE DETECTION
The proposed requirements for action on failure detection are identical to those in Section
7.4.6 of IEC 61508. In low complexity systems, there are unlikely to be self-monitoring or
diagnostic features as may be provided on more complex, and particularly PE based
systems. Low complexity systems may, however, have fail to safety design features and/or
self checking features which should be designed to result in a safe state on failure.
6.0 PROPOSED REQUIREMENTS FOR DEFENCES AGAINST SYSTEMATIC
FAILURE
Annexes A and B of IEC61508-2 [Reference 1] recommend, for each SIL, techniques and
measures to apply to avoid failures during the safety lifecycle of a system, and to control
failures during operation should they occur. Measures to control failures are built-in
features of safety related systems.
Tables A.16 to A.18 of Reference 1 recommend techniques and measures for controlling
systematic failures during operation. Tables B.1 to B.5 of Reference 1 recommend
techniques and measures to avoid systematic failures during different phases of the lifecycle
of the system (including design, operation and maintenance). ‘Highly recommended’
techniques and measures must be applied to all systems unless there are good reasons for
their not being used, and these reasons must be documented. Application of ‘recommended’
15
techniques is optional but at least one of the available techniques must be applied [Reference
1]. Failure to adequately embrace the recommended techniques will adversely affect the
SIL which can be claimed.
The application of these techniques and measures to low complexity systems is considered
below.
The majority of measures which could be applied to control systematic failures caused by
hardware and software design (Table A.16 in Reference 1) are unlikely to be applicable to
low complexity systems (e.g. interlock guard systems). These techniques and measures
have been removed from the table below. Low complexity systems are unlikely to
incorporate the sophisticated components or design processes to which several of the
techniques and measures (e.g. program sequence monitoring) would apply.
All the highly recommended measures identified to control systematic failures due to
environmental and operational factors (Tables A.17 and A.18 in Reference 1) are applicable
to low complexity systems. However, again, some of the recommended techniques are of
limited suitability for low complexity systems. The recommendations considered applicable
to low complexity systems for Tables A16 to A18 in Reference 1 have been combined
together in Table 6 below.
16
Technique/Measure See IEC SIL1 SIL2 SIL3 SIL4 61508-7
TECHNIQUES AND MEASURES TO CONTROL SYSTEMATIC FAILURES CAUSED BY HARDWARE DESIGN Failure detection by on-line monitoring A.1.1 R R R R (Note 2) low low medium high Antivalent signal transmission A.11.4 R R R R
low low medium high Standard test access ports A.2.3 R R R R
low low medium high Use of well-tried components B.3.3 R R R R
low Low medium high Diverse hardware (Note 3) B.1.4 - – R R
low low medium high Separation of E/E/PE safety-related systems B.1.3 HR HR HR HR from non-safety-related systems low low medium high Measures against voltage breakdown, A.8 HR HR HR HR voltage variations, overvoltage, low voltage mandatory mandatory mandatory mandatory Separation of electrical energy lines from A.11.1 HR HR HR HR information lines (Note 4) mandatory mandatory mandatory mandatory Increase of interference immunity A.11.3 HR HR HR HR
mandatory mandatory mandatory mandatory Measures against the physical environment A.14 HR HR HR HR (for example, temperature, humidity, water, mandatory mandatory mandatory mandatory vibration, dust, corrosive substances) Measures against temperature increase A.10 HR HR HR HR
low low medium high Spatial separation of multiple lines A.11.2 HR HR HR HR
low low medium high Modification protection B.4.8 HR HR HR HR
mandatory mandatory mandatory mandatory At least one of the techniques in the light grey shaded group is required.
NOTE 1 The overview of techniques and measures associated with this table is in annexes A and B of IEC 61508-7. The relevant subclause is referenced in the second column.
NOTE 2 For E/E/PE safety-related systems operating in a low demand mode of operation (for example emergency shutdown systems); the diagnostic coverage achieved from failure detection by on-line monitoring is generally low or none.
NOTE 3 Diverse hardware is not required if it has been demonstrated, by validation and extensive operational experience, that the hardware is sufficiently free of design faults and sufficiently protected against common cause failures to fulfil the target failure measures.
NOTE 4 Separation of electrical energy lines from information lines is not necessary if the information is transported optically, nor is it necessary for low power lines which are designed for energising components of the E/E/PES and carrying information from or to these components.
TABLE 6: DESIGN TECHNIQUES AND MEASURES TO CONTROL
SYSTEMATIC FAILURES CAUSED BY HARDWARE DESIGN IN LOW
COMPLEXITY SYSTEMS
17
Many of the measures identified in Tables B.1 to B.5 to help avoid systematic errors during
system design, operation and maintenance are applicable to low complexity systems. The
applicable recommendations have been combined in Table 7 below:
Technique/Measure See IEC SIL1 SIL2 SIL3 SIL461508-7
GENERAL RECOMMENDATIONS TO AVOID MISTAKES DURING THE LIFECYCLE Project management B.1.1 HR HR HR HR
low Low medium high Documentation B.1.2 HR HR HR HR
low Low medium high RECOMMENDATIONS TO AVOID MISTAKES DURING SPECIFICATION OF REQUIREMENTS Structured specification B.2.1 HR HR HR HR
low Low medium high Inspection of the specification B.2.6 – HR HR HR
low Low medium high RECOMMENDATIONS TO AVOID INTRODUCING FAULTS DURING DESIGN AND DEVELOPMENT
Observance of guidelines and standards B.3.1 HR HR HR HR mandatory Mandatory mandatory mandatory
Inspection of the hardware or walk-through of B.3.7 - R R R the hardware B.3.8 low low medium high
RECOMMENDATIONS TO AVOID FAULTS AND FAILURES DURING OPERATION AND MAINTENANCE PROCEDURES
Operation and maintenance instructions B.4.1 HR HR HR HR mandatory mandatory mandatory mandatory
User friendliness B.4.2 HR HR HR HR mandatory mandatory mandatory mandatory
Maintenance friendliness B.4.3 HR HR HR HR mandatory mandatory mandatory mandatory
Limited operation possibilities B.4.4 - R HR HR low low medium high
Protection against operator mistakes B.4.6 - R HR HR low low medium high
Operation only by skilled operators B.4.5 - R R HR low low medium high
RECOMMENDATIONS TO AVOID FAULTS DURING TESTING/SAFETY VALIDATION Functional testing B.5.1 HR HR HR HR
mandatory mandatory mandatory mandatory Functional testing under environmental B.6.1 HR HR HR HR conditions mandatory mandatory mandatory mandatory Interference surge immunity testing B.6.2 HR HR HR HR
mandatory mandatory mandatory mandatory Simulation and failure analysis B.3.6 - R R R
B.6.6 low low medium high Field experience B.5.4 R R R NR
low low medium At least one of the techniques in the light grey shaded group is required.
NOTE 1 The overview of techniques and measures associated with this table is in annex B of IEC 61508-7. Relevant subclauses are referenced in the second column.
TABLE 7: RECOMMENDATIONS TO AVOID MISTAKES DURING THE
LIFECYCLE OF LOW COMPLEXITY SYSTEMS
18
7.0 REQUIREMENTS FOR PROVEN-IN-USE
If a system can be demonstrated to be “proven-in-use” in accordance with the requirements
of IEC 61508 Sections 7.4.7.6 to 7.4.7.12, then it is not necessary to satisfy the conditions
for the avoidance of systematic failure as outlined in Section 6.
In order to be considered proven-in-use, there must be supporting data meeting the
requirements for dependable data as outlined in Section 2.1 for the identical system or
subsystem. However, in addition, the data must be derived from an application functionally
similar to the target application in order to demonstrate that the system or subsystem is free
from design errors and other causes of systematic failure. Therefore, data from a
functionally different application or manufacturers’ data on components will not generally
be acceptable.
However, in the context of low complexity systems, evidence supporting a proven-in-use
argument for some of the subsystems or component parts of a system may be drawn from a
different functional application if that application meets the following conditions:
· The component considered has the same function within the application as in the
target application. This condition will generally be satisfied by components which
have a single, simple function e.g. simple combinatorial logic, sensing elements, trip
amplifiers, valve actuators, but is not likely to be met by more complex,
multifunctional devices and, in particular, programmable devices.
· The component is used in a similar physical environment as the target application
and has similar protection against external influences (EMI, temperature, humidity,
dust etc.).
· The component is subjected to similar mechanical and/or electrical stresses and duty
cycle (for mechanical or electromechanical devices)
· Data collected from the application(s) meets the requirements of Section 2.1 for
dependable data.
19
It is envisaged that this approach may be useful for certain standard system building blocks
such as safety relays and trip amplifiers where a proven-in-use demonstration may obviate
the need for a hardware reliability analysis and FMEA and a consideration of defences
against systematic failure. (It is noted that this approach is no different from that used of
necessity for smaller component parts such as terminal blocks, simple relays, resistors,
capacitors, semiconductors, since it is not possible to assess their reliability or defences
against systematic failures and reliance must be placed on generic reliability data and an
inherent assumption that they are proven-in-use with respect to systematic failures.)
However, it must be emphasised that even if some or all of the subsystems or component
parts of a system are deemed proven-in-use, cognisance will still need to be taken of all the
requirements outlined in this document as far as they apply at the system level.
8.0 REFERENCES
1 IEC 61508-2 ‘Functional Safety of electrical/electronic/programmable electronic
safety-related systems – Part 2: Requirements for electrical/electronic/programmable
electronic safety-related systems’, 1999.
2 ‘Health and Safety Executive – Analysis of Machinery Guard Interlock Circuits’, R96-
157(N), First Issue, November 1996, R M Consultants Ltd., (J2403).
3 PrEN 954-2, Safety of machinery, Safety related parts of control systems, Part 2:
validation.
4 BS 5760 Part 2 1994, Reliability of systems, equipment and components, Part 2.
Guide to the assessment of reliability.
5 MIL-HDBK 217, Reliability Prediction of Electronic Equipment.
20
FIGURE 3: GUARDING SYSTEM, HARDWARE FAULT TOLERANCE = 0
Open
Closed
Motor Contactor
K1
Relay K1
Note: Guard shown in open position
21
Printed and published by the Health and Safety ExecutiveC30 1/98
22
APPENDIX A:
DERIVATION OF COMPONENT FAILURE RATES
This Appendix derives failure rates for the primary components used in low complexity
systems.
Limit Switch
From Reference A1, Section 14.1:
lb = 4.3 x 10-6/h (Limit Switch)
pL = 1.28 (Stress 0.2, inductive load)
pC = 1.0 (Not push button or toggle)
pQ = 2 (Non–MIL Spec)
pE = 3 (Ground, Fixed)
33.0 f/106h (0.289f/y)
From Reference A2, Section 14.1:
lg = 13 x 10-6/h (Limit Switch, Ground Fixed environment)
pQ = 2 (Non–MIL Spec)
26.0 f/106h (0.228f/y)
Taking the higher of these, the failure rate is 33f/106 h or 0.289f/y. This applies to a single
pole single throw (SPST) switch.
Failure modes are assumed to be 50% fail safe, 50% fail danger, allocated equally between
mechanical parts and the contacts, i.e. 7.2 x 10-2f/y per mode. This failure rate would apply
to each contact on a multi-contact switch.
Limit Switch, positively opening on demand
The failure rate of a switch which is driven open directly by a mechanical force is expected
to be much lower. The data for a pushbutton is considered the most applicable although
data is not available to distinguish between opening and closing modes of operation. From
Reference A1, Section 14.1:
A1
lb = 0.1 x 10-6/h (Pushbutton)
pL = 1.28 (Stress 0.2, inductive load)
pC = 1.0 (SPST)
pQ = 2 (Non–MIL Spec)
pE = 3 (Ground, Fixed)
0.77 f/106h (6.7 x 10-3f/y)
From Reference A2, Section 14.1:
lg = 0.3 x 10-6/h (Pushbutton, Ground Fixed environment)
pQ = 2 (Non–MIL Spec)
0.6 f/106h (5.3 x 10-3f/y)
Taking the higher of these, the failure rate is 0.77f/106 h or 6.7 x 10-3f/y. This applies to an
SPST switch.
Failure modes are assumed to be 50% fail safe, 50% fail danger, allocated equally between
mechanical parts and the contacts, i.e. 1.7 x 10-3f/y per mode. This failure rate would apply
to each additional contact on a multi-contact switch.
Relays
From Reference A1, Section 13.1:
lb = 0.0059 x 10-6/h (85oC rated temp, 25oC ambient)
pL = 1.28 (Stress 0.2, inductive load)
pC = 1.75 (Single pole, double throw)
pcyc = 1.0 (< 10 cycles/h, non–MIL Spec.)
pF = 5 (Balanced Armature, General purpose, 0-5 Amp)
pQ = 2.9 (Commercial)
pE = 2 (Ground, Fixed)
0.383 f/106h (3.4 x 10-3f/y)
A2
From Reference A2, Section 13.1:
lg = 0.12 x 10-6/h (General purpose, balanced armature, Ground Fixed
environment)
pQ = 2.9 (Non–Mil Spec)
0.348 f/106h (3.0 x 10-3f/y)
From Reference A3:
lref = 0.004 x 10-6/h (general switching relay)
pL = 20 (dc, inductive load)
pT = 1 (< 40oC)
ps = 1.0 (< 1 cycle/h)
pE = 3 (Dust tight)
0.24 f/106h (2.1 x 10-3f/y)
Reference A4 gives a Mean Time To Failure (MTTF) for a relay of 108 hours, i.e. a failure
rate of 0.01 f/106h with 90% of failures in the dangerous direction.
Taking the highest of the above, the failure rate is 0.383 f/106 h or 3.4 x 10-3f/y. This applies
to an SPST contact form.
Failure modes are assumed to be 50% fail safe, 50% fail danger, allocated equally between
mechanical parts and the contacts, i.e. 8.4 x 10-4f/y per mode. This failure rate would apply
to each additional contact on a multi-contact relay.
A3
Contactors
From Reference A1, Section 13.1:
lb = 0.0084 (85oC rated, 40oC operation)
pL = 1.28 (20% stress, inductive load)
pC = 2 (3PST)
pCYC = 1 (Non–Mil Spec, < 10 cycles/h)
pF = 10 (25-600 Amp contactor, balanced armature)
pQ = 2.9 (Commercial)
pE = 2 (Ground Fixed)
1.2 f/106h (1.1 x 10-2f/y)
From Reference A2, Section 13.1:
lg = 0.12 (Contactor, high current, solenoid, ground fixed environment,
SPST)
pQ = 2.9 (Non–MIL Spec)
0.35 f/106h (3.0 x 10-3f/y)
From Reference A4:
= 0.25 x 10-6/h(3 pole ac contactor) lref
pS = 1.0 (< 1 cycle/h)
pU = 1 (< 400V ac)
pI = 0.71 (50% rated current)
pT = 1
pE = 1
0.18 f/106h (1.6 x 10-3f/y)
Reference A4 gives an MTTF for a contactor of 2.5 x 106 hours, i.e. a failure rate of
0.4f/106h with 90% of failures in the dangerous direction.
Taking the worst case figure, the failure rate is 1.2 x 10-6f/h or 1.1 x 10-2f/y. Failure Modes
are assumed to be 50% fail danger, 50% fail safe, i.e. 5.5 x 10-3f/y per mode.
A4
Wiring
The failure rate of wiring is more dependent on external causes (e.g. flexing, chafing) than
on the wire itself which, in ideal conditions, will not fail. It is therefore not possible to
predict a failure rate from generic data. A value of 0.01 failures per year has been allocated
(50% open circuit, 50% short circuit between conductors, i.e. 0.005f/y per mode).
Link
Some systems use a link which must be physically broken in order to open the guard. No
dangerous failure has been identified and the failure rate is considered to be effectively zero.
LEGEND
lb = Base failure rate (failures per 106 hours)
lref = Reference (= Base) failure rate (failures per 106 hours)
lg = Failure rate for Ground Fixed environment (failures per 106 hours)
pC = Complexity or Configuration factor
pCYC = Cycling factor
pE = Environment factor
pF = Form factor
pI = Current stress factor
pL = Load stress factor
pQ = Quality factor
pT = Temperature factor
pS = Cycling factor
pU = Voltage stress factor
pV = Voltage stress factor
A5
REFERENCES
A1 MIL-HDBK 217F (Notice 2), Reliability Prediction of Electronic Equipment, 28th
February 1995, Parts Stress Analysis.
A2 MIL-HDBK 217F (Notice 2), Reliability Prediction of Electronic Equipment, 28th
February 1995, Appendix A, Parts Count Reliability Prediction.
A3 Siemens AG SN 29500 Part 7, Failure Rates of Components, Expected Values for
Relays, April 1992
A4 Siemens AG SN 29500 Part 11, Failure Rates of Components, Expected Values for
Contactors, August 1990
A6
APPENDIX B:
PFD OF A REDUNDANT SYSTEM SUBJECT TO ONLY FUNCTIONAL TESTING
Consider the following system comprising two redundant elements in parallel:
Element A
Element B
The elements have dangerous undetected failure rates of lA and lB respectively. The system
is functionally tested at intervals of T. The functional test will only detect a failure if both
elements are failed; if only one element is failed, the system is working and will pass the
functional test. (This must be distinguished from a proof test which would be expected to
detect failure of one element even if the system is working).
The probability that A is failed but B is not failed at a time t is:
-lAt -lBtP = (1- e ) ́ eBA
= e-lBt - e-(lA+lB )tP BA
The probability that B then fails in the interval t to t+dt is
-lBt - e-(lA+lB )tPAB = (e )l dtB
Similarly, the probability of A failing in the interval t+dt, B having already failed is:
-lAt - e-(lA+lB )tPBA = (e )l dtA
The total probability of system failure in the interval t+dt is therefore:
PSYS = (l e-lAt + lBe-lBt
- (lA + lB )e-(lA+lB )t
)dtA
B1
0
0
The mean time to failure (MTTF) is given by
¥-lAt
+ lBe-lBt
- (lA + lB )e-(lA+lB )tMTTF = ò t(l e )dtA
Integrating by parts, it can be shown that:
¥ 1xte-xt dt =ò x
Therefore,
1 1 1MTTF = + -
l lB l + lA A B
If the system is functionally tested at intervals of T, on average, the system failure will
remain undetected for an interval of = T/2. Assuming that the time to effect repair (or put
the machine into a safe state) is short in comparison, the effective mean time to repair
(MTTR) is also T/2. Therefore, the average probability of the system being in a failed state
(i.e. PFD for a protective system) is:
MTTR MTTR T 1PFD = » =
MTTF MTTR MTTF 2 1 l
1
A +
1 lB
ö ÷÷ ø
+ æççè
+ -l lBA
If lA = lB = l, this simplifies to:
lTPFD =
3
The PFD for a single channel system is:
lTPFD =
2
B2
It can be seen that if the system is only functionally tested, there is very little benefit from
redundancy.
B3
B4
APPENDIX C:
CALCULATION OF FAILURE MEASURES AND COMPARISON WITH
ARCHITECTURAL CONSTRAINTS FOR MACHINERY GUARDING CIRCUITS
Methodology
Reference C1 reported a comparison of qualitatively assessed against numerically assessed
SILs for a number of machinery guard interlock circuits.
The circuits considered are presented in Figures C1 to C18. Each circuit is a different
means of achieving the same purpose i.e. to stop motive power to a machine if a guard is
opened or to prevent motive power being applied if the guard is open. Each circuit does this
by interrupting the current to the motor (or to the circuit breaker controlling the motor) if the
guard is open.
Fault trees were constructed to show the failures or combinations of failures which would
prevent the motor from stopping if a guard is opened.
Many of the circuits incorporate checking features which check that the relays are capable of
dropping out or pulling in, as would be required to stop the motor, each time the guard is
operated. For example, if a relay is stuck open, the motor cannot be restarted when the
guard is closed. The circuits were analysed to determine what failures would be revealed in
this way. It is assumed in the fault trees that the guard is operated daily and these faults are
classed as revealed with a repair time of 24 hours in the fault trees so that the probability of
failure on demand at time = 24 hours is correctly calculated.
It is assumed that all other faults are unrevealed except by proof test. Results have been
calculated assuming a proof test interval of one year.
In some multi-channel systems, failures of individual channels are unrevealed but failure of
all channels (i.e. system failure) is revealed. These situations have been modelled by
treating failure of one of the channels as revealed and the others as unrevealed. The
Probability of Failure on Demand (PFD) is the probability that the machine does not stop or
can be started with the guard open. It is not therefore the probability of harm to the
operator. This is given by:
Hazard Rate = PFD x Frequency of operator attempting to cross barriers by opening
C1
guards without stopping machine (Fdemand)
In certain situations Fdemand will be small and the above relationship applies.
In other situations, it will be quite normal for the operator to rely on the opening of the
guard to stop the machine and will routinely and frequently be at risk if the interlock fails to
operate. In these circumstances, the relevant quantity is the Failure Rate since if a failure
occurs, the operator is at high risk the next time he opens the guard. Tables C2 – C19 list
the cutsets for each circuit, i.e. the combinations of component failures which would result
in system failure. The SIL of each circuit imposed by the architectural constraints is
assessed against the proposed scheme of Table 2 which defines the SIL level according to
the hardware fault tolerance. The fault tolerance is derived from the cutset lists in Tables C2
– C19. If the cutset list contains one or more single order unrevealed faults, (except CCFs
which are by definition multiple failures) then the hardware fault tolerance is zero. If the
cutset list has no single order unrevealed faults but has one or more second order unrevealed
faults, then the hardware fault tolerance is 1. The architectural constraint on the SIL is taken
from Table 2 assuming a SFF of < 60%.
The PFD and Frequency of Failure of each circuit are assessed assuming each component
within the circuit is proof tested annually and assuming various values of Common Cause
Failure beta-factor (1%, 5% and 10%). However in the industries where such interlock
circuits are most likely to be used it is unlikely that proof testing of individual circuit
components would be performed. Testing would most probably take the form of an annual
functional test. The PFD and Frequency of Failure for each of the 18 circuits have therefore
also been assessed assuming an annual functional test is performed. The SILs
corresponding to the assessed PFDs and Frequencies of Failure are derived.
The revised numerically assessed SIL values have then been compared to the architectural
constraints on SIL value for each circuit.
Common Cause Failure
Common cause failure (CCF) has been modelled in the assessment of each of the 18 circuits
except for Circuit 1 which has no redundant components.
C2
Beta factors of 1%, 5% and 10% have been assumed. Where the circuit has two limit
switches the CCF rate (and beta-factor) has been assumed to apply to the lowest failure rate
value of the two switches.
Annual Functional Tests
Appendix B shows that the effect of functional testing (as opposed to proof testing which
tests that all channels of a redundant system are working) is to reduce the PFD by a factor of
2/3 as compared to the single channel system. In effect, this gives very little credit for
redundancy. To estimate the PFD of a redundant pair of items therefore, assuming only
functional checks, a CCF event has been included using a beta factor of 2/3 applied to the
redundant item with the lowest failure rate. Where the circuits have multiple redundant
systems this approach is slightly conservative.
Results
Table C1 presents the results of the analyses outlined above. For each of the 18 circuits
analysed, the SILs corresponding to both the calculated failure rate and PFD are presented,
along with the architectural constraint on SIL resulting from the application of Table 2,
assuming a SFF of <60%.
The SIL values derived on a failure rate basis assuming an annual proof test are generally
equal to or lower by one level than the SIL imposed by the architectural constraints. The
only exception is Circuit 12 assuming no or a very low CCF, which is restrained by two
levels. This circuit has a very low failure rate because of a high degree of self testing.
The architectural constraints are more restrictive if the SIL is calculated on the basis of PFD,
reducing the SIL by two levels in many cases.
The application of yearly functional testing results in a lower numerically assessed SIL than
yearly proof testing. However, in no case is it lower than the architectural constraint.
Conclusions
The architectural constraints of Table 2 are reasonably consistent with the calculated failure
rate and PFD for “low complexity” systems. In all cases, applying the architectural
constraint results in the same or a lower SIL as is calculated from the failure rate or PFD,
with the most severe constraints (up to two levels) being at the highest calculated SILs.
which suggests that the “default” constraint (SFF<60%) is set at the correct level.
C3
If a SFF better than 60% can be demonstrated from good data or from FMEA, then the
architectural constraints will be relaxed by up to 2 levels. In most cases, this will allow a
higher SIL to be claimed.
References
C1 ‘Health and Safety Executive – Analysis of Machinery Guard Interlock Circuits’, R96-
157(N), First Issue, November 1996, R M Consultants Ltd., (J2403).
C4
Circ
uit
Har
dwar
e Fa
ult
Tole
ranc
e
Arc
hite
ctur
al C
onst
rain
t (SI
L)
for S
FF =
Fa
ilure
Rat
e B
asis
PF
D B
asis
<60%
(D
efau
lt)
60%
-<9
0%
90%
-<9
9%
³99
%
No
CC
F.
PTI =
1y
CC
F,
ȕ=1%
.PT
I = 1
y
CC
F,
ȕ=5%
.PT
I = 1
y
CC
F,
ȕ=10
%.
PTI =
1y
Func
tiona
l te
st =
1y,
(ȕ
=67%
)
No
CC
F.
PTI =
1y
CC
F,
ȕ=1%
.PT
I = 1
y
CC
F,
ȕ=5%
.PT
I = 1
y
CC
F,
ȕ=10
%.
PTI =
1y
Func
tiona
l te
st =
1y,
(ȕ
=67%
)
1 0
1 2
3 3
1 1
1 1
1 2
2 2
2 2
2 0
1 2
3 3
2 2
2 2
2 2
2 2
2 2
3 0
1 2
3 3
2 2
2 2
2 2
2 2
2 2
4 0
1 2
3 3
2 2
2 2
2 3
3 3
3 3
5 0
1 2
3 3
2 2
2 2
2 3
3 3
3 3
6 0
1 2
3 3
2 2
2 2
2 3
3 3
3 3
7 0
1 2
3 3
2 2
2 2
2 2
2 2
2 2
8 1
2 3
4 4
2 2
2 2
2 3
3 3
3 2
9 1
2 3
4 4
3 3
3 3
2 3
3 3
3 3
10
1 2
3 4
4 3
3 3
3 2
4 4
3 3
2 11
1
2 3
4 4
3 3
3 2
2 4
4 4
4 3
12
1 2
3 4
4 4
4 3
3 2
4 4
4 4
3 13
1
2 3
4 4
3 3
3 3
2 4
4 3
3 2
14
1 2
3 4
4 2
2 2
2 2
3 3
3 3
2 15
1
2 3
4 4
2 2
2 2
2 3
3 3
3 2
16
1 2
3 4
4 3
3 3
3 2
4 4
4 4
4 17
1
2 3
4 4
3 3
3 3
2 4
4 4
4 4
18
1 2
3 4
4 3
3 3
3 2
4 4
4 4
4
TA
BL
E C
1: C
OM
PAR
ISO
N O
F A
RC
HIT
EC
TU
RA
L C
ON
STR
AIN
TS
AN
D N
UM
ER
ICA
LL
Y A
SSE
SSE
D S
ILS
C5
C6
FIGURE C1: CIRCUIT 1
C7
FIGURE C2: CIRCUIT 2
C8
FIGURE C3: CIRCUIT 3
C9
FIGURE C4: CIRCUIT 4
C10
FIGURE C5: CIRCUIT 5
C11
FIGURE C6: CIRCUIT 6
C12
FIGURE C7: CIRCUIT 7
C13
FIGURE C8: CIRCUIT 8
C14
FIGURE C9: CIRCUIT 9
C15
FIGURE C10: CIRCUIT 10
C16
FIGURE C11: CIRCUIT 11
C17
FIGURE C12: CIRCUIT 12
C18
FIGURE C13: CIRCUIT 13
C19
FIGURE C14: CIRCUIT 14
C20
FIGURE C15: CIRCUIT 15
C21
FIGURE C16: CIRCUIT 16
C22
FIGURE C17: CIRCUIT 17
C23
FIGURE C18: CIRCUIT 18
C24
C25
C26
C27
C28
C29
C30
C31
C32
C33
C34
C35
C36
C37
C38
C39
C40
C41
C42
TABLE C2: CUTSET LISTING FOR TOP EVENT CCT1
Version 5.27 Date(dd-mm-yy): 29-08-01 Time: 15.45.14 Fault Tree File: G:\JOBS\WO\J\2614\LOGAN\WITH CCF\J2614_001_2LS_LOWCCF Top Event: CCT1 Freq: 1.01E-02 Prob: 5.03E-03
No. Events Frequency Probability 1 S1NCMFTO 1.70E-03 8.50E-04 2 S1NCCFTO 1.70E-03 8.50E-04 3 CONDS/C 5.00E-03 2.50E-03 4 K1FTDO 1.68E-03 8.40E-04
C43
1 2 3 4 5
TABLE C3: CUTSET LISTING FOR TOP EVENT CCT2
Version 5.27 Date(dd-mm-yy): 29-08-01 Time: 15.47.25 Fault Tree File: G:\JOBS\WO\J\2614\LOGAN\WITH CCF\J2614_001_2LS_LOWCCF Top Event: CCT2 Freq: 8.42E-03 Prob: 4.20E-03
No. Events Frequency Probability S1NCMFTO 1.70E-03 8.50E-04 S1NCCFTO 1.70E-03 8.50E-04 CONDS/C 5.00E-03 2.50E-03 CCFRELDO 1.68E-05 8.40E-06 K1FTDO K2FTDO 2.82E-06 9.41E-07
C44
TABLE C4: CUTSET LISTING FOR TOP EVENT CCT3
Version 5.27 Date(dd-mm-yy): 29-08-01 Time: 15.48.07 Fault Tree File: G:\JOBS\WO\J\2614\LOGAN\WITH CCF\J2614_001_2LS_LOWCCF Top Event: CCT3 Freq: 8.42E-03 Prob: 4.20E-03
No. Events Frequency Probability 1 S1NCMFTO 1.70E-03 8.50E-04 2 S1NCCFTO 1.70E-03 8.50E-04 3 CONDS/C 5.00E-03 2.50E-03 4 CCFRDOR 1.68E-05 4.60E-08 5 K2FTDOR K3FTDOR 1.55E-08 2.12E-11
C45
1 2 3 4 5 6 7 8 9 10 11 12 13
TABLE C5: CUTSET LISTING FOR TOP EVENT CCT4
Version 5.27 Date(dd-mm-yy): 29-08-01 Time: 15.48.32 Fault Tree File: G:\JOBS\WO\J\2614\LOGAN\WITH CCF\J2614_001_2LS_LOWCCF Top Event: CCT4 Freq: 1.76E-03 Prob: 8.69E-04
No. Events Frequency Probability S1NCMFTO 1.70E-03 8.50E-04 S1NCCFTO S1NOCFTC 2.89E-06 9.63E-07 CONDS/C S1NOCFTC 8.50E-06 2.83E-06 CCFRDOR S1NOCFTC 1.44E-08 3.91E-11 CONDS/C CONDO/C 2.50E-05 8.33E-06 S1NCCFTO CONDO/C 8.50E-06 2.83E-06 S1NCCFTO K3FTPI 2.86E-06 9.52E-07 CCFRDOR K3FTPI 1.42E-08 3.87E-11 CONDS/C K3FTPI 8.40E-06 2.80E-06 CCFRDOR CONDO/C 4.22E-08 1.15E-10 K1FTDOR K2FTDOR S1NOCFTC 1.32E-11 1.80E-14 K1FTDOR K2FTDOR CONDO/C 3.88E-11 5.30E-14 K1FTDOR K2FTDOR K3FTPI 1.30E-11 1.78E-14
C46
1 2 3 4 5 6 7 8 9 10 11 12 13
TABLE C6: CUTSET LISTING FOR TOP EVENT CCT5
Version 5.27 Date(dd-mm-yy): 29-08-01 Time: 15.48.54 Fault Tree File: G:\JOBS\WO\J\2614\LOGAN\WITH CCF\J2614_001_2LS_LOWCCF Top Event: CCT5 Freq: 1.75E-03 Prob: 8.65E-04
No. Events Frequency Probability S1NCMFTO 1.70E-03 8.50E-04 S1NCCFTO S1NOCFTC 2.89E-06 9.63E-07 CONDS/C S1NOCFTC 8.50E-06 2.83E-06 CCFRDOR S1NOCFTC 1.44E-08 3.91E-11 CONDS/C CONDO/C 2.50E-05 8.33E-06 S1NCCFTO CONDO/C 8.50E-06 2.83E-06 S1NCCFTO K1FTPIR 1.44E-06 3.91E-09 CCFRDOR K1FTPIR 1.55E-10 2.12E-13 CONDS/C K1FTPIR 4.22E-06 1.15E-08 CCFRDOR CONDO/C 4.22E-08 1.15E-10 K2FTDOR K3FTDOR S1NOCFTC 1.32E-11 1.80E-14 K2FTDOR K3FTDOR CONDO/C 3.88E-11 5.30E-14 K2FTDOR K3FTDOR K1FTPIR 1.07E-13 9.75E-17
C47
1 2 3 4 5 6 7 8 9 10 11 12 13
TABLE C7: CUTSET LISTING FOR TOP EVENT CCT6
Version 5.27 Date(dd-mm-yy): 29-08-01 Time: 15.49.21 Fault Tree File: G:\JOBS\WO\J\2614\LOGAN\WITH CCF\J2614_001_2LS_LOWCCF Top Event: CCT6 Freq: 1.73E-03 Prob: 8.50E-04
No. Events Frequency Probability S1NCMFTO 1.70E-03 8.50E-04 S1NCCFTO S1NOFTCR 1.45E-06 3.96E-09 CONDS/C S1NOFTCR 4.27E-06 1.16E-08 CCFRDOR S1NOFTCR 1.57E-10 2.14E-13 CONDS/C CON1O/CR 1.26E-05 3.42E-08 S1NCCFTO CON1O/CR 4.27E-06 1.16E-08 S1NCCFTO K4FTPIR 1.44E-06 3.91E-09 CCFRDOR K4FTPIR 1.55E-10 2.12E-13 CONDS/C K4FTPIR 4.22E-06 1.15E-08 CCFRDOR CON1O/CR 4.60E-10 6.31E-13 K2FTDOR K3FTDOR S1NOFTCR 1.08E-13 9.87E-17 K2FTDOR K3FTDOR CON1O/CR 3.18E-13 2.90E-16 K2FTDOR K3FTDOR K4FTPIR 1.07E-13 9.75E-17
C48
1 2 3 4 5 6 7 8 9 10 11 12 13
TABLE C8: CUTSET LISTING FOR TOP EVENT CCT7
Version 5.27 Date(dd-mm-yy): 29-08-01 Time: 15.49.43 Fault Tree File: G:\JOBS\WO\J\2614\LOGAN\WITH CCF\J2614_001_2LS_LOWCCF Top Event: CCT7 Freq: 3.00E-03 Prob: 1.29E-03
No. Events Frequency Probability CCFSWM 1.70E-05 8.50E-06 CCFSFTO 1.70E-05 8.50E-06 CCFCSC 5.00E-05 2.50E-05 K1FTDO 1.68E-03 8.40E-04 S1NCMFTO S2NOMFTO 1.21E-04 3.98E-05 S1NCCFTO S2NOMFTO 1.21E-04 3.98E-05 COND1S/C S2NOMFTO 3.56E-04 1.17E-04 S1NCMFTO S2NCCFTO 1.21E-04 3.98E-05 S1NCMFTO COND2S/C 8.50E-06 2.83E-06 S1NCCFTO S2NCCFTO 1.21E-04 3.98E-05 S1NCCFTO COND2S/C 8.50E-06 2.83E-06 COND1S/C S2NCCFTO 3.56E-04 1.17E-04 COND1S/C COND2S/C 2.50E-05 8.33E-06
C49
1 2 3 4 5 6 7 8 9 10 11 12 13 14
TABLE C9: CUTSET LISTING FOR TOP EVENT CCT8
Version 5.27 Date(dd-mm-yy): 29-08-01 Time: 15.50.22 Fault Tree File: G:\JOBS\WO\J\2614\LOGAN\WITH CCF\J2614_001_2LS_LOWCCF Top Event: CCT8 Freq: 1.34E-03 Prob: 4.59E-04
No. Events Frequency Probability CCFSWM 1.70E-05 8.50E-06 CCFSFTO 1.70E-05 8.50E-06 CCFCSC 5.00E-05 2.50E-05 CCFRELDO 1.68E-05 8.40E-06 K1FTDO K2FTDO 2.82E-06 9.41E-07 S1NCCFTO S2NOMFTO 1.21E-04 3.98E-05 COND1S/C S2NOMFTO 3.56E-04 1.17E-04 S1NCMFTO S2NCCFTO 1.21E-04 3.98E-05 S1NCMFTO COND2S/C 8.50E-06 2.83E-06 S1NCMFTO S2NOMFTO 1.21E-04 3.98E-05 S1NCCFTO S2NCCFTO 1.21E-04 3.98E-05 S1NCCFTO COND2S/C 8.50E-06 2.83E-06 COND1S/C S2NCCFTO 3.56E-04 1.17E-04 COND1S/C COND2S/C 2.50E-05 8.33E-06
C50
1 2 3 4 5 6 7 8
TABLE C10: CUTSET LISTING FOR TOP EVENT CCT9
Version 5.27 Date(dd-mm-yy): 29-08-01 Time: 15.50.44 Fault Tree File: G:\JOBS\WO\J\2614\LOGAN\WITH CCF\J2614_001_2LS_LOWCCF Top Event: CCT9 Freq: 7.56E-04 Prob: 2.52E-04
No. Events Frequency Probability CCFRELDO 1.68E-05 8.40E-06 LINK1FTO S2NOMFTO 7.12E-22 2.34E-22 K1FTDO K2FTDO 2.82E-06 9.41E-07 LINK1FTO S2NCCFTO 7.12E-22 2.34E-22 LINK1FTO COND2S/C 5.00E-23 1.67E-23 CONLKS/C S2NOMFTO 3.56E-04 1.17E-04 CONLKS/C S2NCCFTO 3.56E-04 1.17E-04 CONLKS/C COND2S/C 2.50E-05 8.33E-06
C51
TABLE C11: CUTSET LISTING FOR TOP EVENT CCT10
Version 5.27 Date(dd-mm-yy): 29-08-01 Time: 15.51.28 Fault Tree File: G:\JOBS\WO\J\2614\LOGAN\WITH CCF\J2614_001_2LS_LOWCCF Top Event: CCT10 Freq: 2.25E-04 Prob: 8.70E-05
No. Events Frequency Probability 1 CCFSFTO 1.70E-05 8.50E-06 2 CCFSWM 1.70E-05 8.50E-06 3 CCFCSC 5.00E-05 2.50E-05 4 K1FTDO K2FTPI 2.82E-06 9.41E-07 5 S1MFTO S2MFTO 1.21E-04 3.98E-05 6 S2MFTO K2FTPI S1NCCFTO 2.02E-07 5.02E-08 7 S1MFTO S2NCCFTO S2NOCFTC 8.54E-06 2.10E-06 8 S1MFTO K2FTPI S2NCCFTO 2.02E-07 5.02E-08 9 K1FTDO S2MFTO S1NOCFTC 2.02E-07 5.02E-08 10 K1FTDO S1MFTO S2NOCFTC 2.02E-07 5.02E-08 11 S2MFTO S1NCCFTO S1NOCFTC 2.05E-07 5.08E-08 12 K1FTDO S1NOCFTC S2NOCFTC 2.02E-07 5.02E-08 13 K2FTPI S1NCCFTO S2NCCFTO 2.02E-07 5.02E-08 14 K2FTPI COND1S/C COND2S/C 4.20E-08 1.05E-08 15 S2MFTO COND1S/C S1NOCFTC 6.02E-07 1.49E-07 16 S2MFTO S1NCCFTO COND1O/C 6.02E-07 1.49E-07 17 S1MFTO K2FTPI COND2S/C 1.43E-08 3.57E-09 18 S2MFTO K2FTPI COND1S/C 5.95E-07 1.48E-07 19 S1MFTO COND2S/C S2NOCFTC 6.02E-07 1.49E-07 20 S1MFTO S2NCCFTO COND2O/C 6.02E-07 1.49E-07 21 K1FTDO S2MFTO COND1O/C 5.95E-07 1.48E-07 22 K1FTDO S1MFTO COND2O/C 1.43E-08 3.57E-09 23 K1FTDO COND1O/C S2NOCFTC 5.95E-07 1.48E-07 24 K1FTDO S1NOCFTC COND2O/C 1.43E-08 3.57E-09 25 K2FTPI COND1S/C S2NCCFTO 5.95E-07 1.48E-07 26 K2FTPI S1NCCFTO COND2S/C 1.43E-08 3.57E-09 27 K1FTDO COND1O/C COND2O/C 4.20E-08 1.05E-08 28 S1MFTO COND2S/C COND2O/C 4.25E-08 1.06E-08 29 S2MFTO COND1S/C COND1O/C 1.77E-06 4.39E-07 30 S1NCCFTO S2NCCFTO S1NOCFTC COND2O/C 1.02E-09 2.03E-10 31 S1NCCFTO S2NCCFTO COND1O/C S2NOCFTC 4.25E-08 8.40E-09 32 S1NCCFTO COND2S/C S1NOCFTC S2NOCFTC 1.02E-09 2.03E-10 33 COND1S/C S2NCCFTO S1NOCFTC S2NOCFTC 4.25E-08 8.40E-09 34 S1NCCFTO S2NCCFTO S1NOCFTC S2NOCFTC 1.45E-08 2.86E-09 35 COND1S/C COND2S/C S1NOCFTC S2NOCFTC 3.01E-09 5.98E-10 36 COND1S/C S2NCCFTO COND1O/C S2NOCFTC 1.25E-07 2.47E-08 37 COND1S/C S2NCCFTO S1NOCFTC COND2O/C 3.01E-09 5.98E-10 38 S1NCCFTO COND2S/C COND1O/C S2NOCFTC 3.01E-09 5.98E-10 39 S1NCCFTO COND2S/C S1NOCFTC COND2O/C 7.23E-11 1.45E-11 40 S1NCCFTO S2NCCFTO COND1O/C COND2O/C 3.01E-09 5.98E-10 41 COND1S/C COND2S/C COND1O/C S2NOCFTC 8.84E-09 1.76E-09 42 COND1S/C COND2S/C S1NOCFTC COND2O/C 2.13E-10 4.25E-11 43 COND1S/C S2NCCFTO COND1O/C COND2O/C 8.84E-09 1.76E-09 44 S1NCCFTO COND2S/C COND1O/C COND2O/C 2.13E-10 4.25E-11 45 COND1S/C COND2S/C COND1O/C COND2O/C 6.25E-10 1.25E-10
C52
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
TABLE C12: CUTSET LISTING FOR TOP EVENT CCT11
Version 5.27 Date(dd-mm-yy): 29-08-01 Time: 15.51.55 Fault Tree File: G:\JOBS\WO\J\2614\LOGAN\WITH CCF\J2614_001_2LS_LOWCCF Top Event: CCT11 Freq: 3.29E-04 Prob: 9.35E-06
No. Events Frequency Probability CCFSWMR 1.70E-05 4.66E-08 CCFSFTO 1.70E-05 8.50E-06 CCFCSCR 5.00E-05 1.37E-07 S2MFTOR S1NCCFTO 6.15E-05 1.68E-07 S1MFTOR S2NCFTOR 6.71E-07 9.19E-10 S1MFTOR S2MFTOR 6.71E-07 9.19E-10 K1FTDOR S1MFTOR 1.57E-08 2.14E-11 K1FTDOR S2MFTOR 6.63E-07 9.08E-10 K1FTDOR K2FTPIR 1.55E-08 2.12E-11 K1FTDOR S2NOFTCR 6.63E-07 9.08E-10 K1FTDOR S1NOFTCR 1.57E-08 2.14E-11 K1FTDOR CON1O/CR 4.60E-08 6.31E-11 K1FTDOR CON2O/CR 4.60E-08 6.31E-11 S1MFTOR CON2S/CR 4.66E-08 6.38E-11 S2MFTOR COND1S/C 1.81E-04 4.93E-07 S1NCCFTO S2NCFTOR S1NOFTCR 5.72E-10 7.81E-13 S1NCCFTO S2NCFTOR S2NOFTCR 2.42E-08 3.31E-11 K2FTPIR S1NCCFTO S2NCFTOR 5.65E-10 7.72E-13 K2FTPIR COND1S/C S2NCFTOR 1.66E-09 2.27E-12 K2FTPIR S1NCCFTO CON2S/CR 3.92E-11 5.36E-14 COND1S/C S2NCFTOR S2NOFTCR 7.12E-08 9.73E-11 S1NCCFTO CON2S/CR S2NOFTCR 1.68E-09 2.30E-12 S1NCCFTO S2NCFTOR CON2O/CR 1.68E-09 2.30E-12 COND1S/C S2NCFTOR S1NOFTCR 1.68E-09 2.30E-12 S1NCCFTO CON2S/CR S1NOFTCR 3.97E-11 5.42E-14 S1NCCFTO S2NCFTOR CON1O/CR 1.68E-09 2.30E-12 K2FTPIR COND1S/C CON2S/CR 1.15E-10 1.58E-13 COND1S/C CON2S/CR S2NOFTCR 4.94E-09 6.76E-12 COND1S/C S2NCFTOR CON2O/CR 4.94E-09 6.76E-12 S1NCCFTO CON2S/CR CON2O/CR 1.17E-10 1.60E-13 COND1S/C CON2S/CR S1NOFTCR 1.17E-10 1.60E-13 COND1S/C S2NCFTOR CON1O/CR 4.94E-09 6.76E-12 S1NCCFTO CON2S/CR CON1O/CR 1.17E-10 1.60E-13 COND1S/C CON2S/CR CON2O/CR 3.43E-10 4.69E-13 COND1S/C CON2S/CR CON1O/CR 3.43E-10 4.69E-13
C53
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
TABLE C13: CUTSET LISTING FOR TOP EVENT CCT12
Version 5.27 Date(dd-mm-yy): 29-08-01 Time: 15.52.23 Fault Tree File: G:\JOBS\WO\J\2614\LOGAN\WITH CCF\J2614_001_2LS_LOWCCF Top Event: CCT12 Freq: 9.23E-05 Prob: 8.69E-06
No. Events Frequency Probability CCFSWMR 1.70E-05 4.66E-08 CCFSFTO 1.70E-05 8.50E-06 CCFCSCR 5.00E-05 1.37E-07 S1MFTOR S2MFTOR 6.71E-07 9.19E-10 K1FTDOR S2MFTOR 6.63E-07 9.08E-10 K2FTPIR S1MFTOR 1.57E-08 2.14E-11 S1NCFTOR S2MFTOR 6.71E-07 9.19E-10 CON1S/CR S2MFTOR 1.97E-06 2.70E-09 S1MFTOR S2NOFTCR 6.71E-07 9.19E-10 S1MFTOR CON2O/CR 4.66E-08 6.38E-11 K1FTDOR K2FTPIR 1.55E-08 2.12E-11 K1FTDOR S2NOFTCR 6.63E-07 9.08E-10 K1FTDOR CON2O/CR 4.60E-08 6.31E-11 K2FTPIR S1NCFTOR 1.57E-08 2.14E-11 K2FTPIR CON1S/CR 4.60E-08 6.31E-11 S1NCFTOR S2NOFTCR 6.71E-07 9.19E-10 S1NCFTOR CON2O/CR 4.66E-08 6.38E-11 CON1S/CR S2NOFTCR 1.97E-06 2.70E-09 CON1S/CR CON2O/CR 1.37E-07 1.88E-10
C54
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43
TABLE C14: CUTSET LISTING FOR TOP EVENT CCT13
Version 5.27 Date(dd-mm-yy): 29-08-01 Time: 15.53.03 Fault Tree File: G:\JOBS\WO\J\2614\LOGAN\WITH CCF\J2614_001_2LS_LOWCCF Top Event: CCT13 Freq: 2.20E-04 Prob: 8.55E-05
No. Events Frequency Probability CCFCSC 5.00E-05 2.50E-05 CCFSFTO 1.70E-05 8.50E-06 CCFSWM 1.70E-05 8.50E-06 S1MFTO S2MFTO 1.21E-04 3.98E-05 CCFRDOR K3FTPI 1.42E-08 3.87E-11 S1MFTO K3FTPI S2NCCFTO 2.02E-07 5.02E-08 CCFRDOR S1MFTO S2NOCFTC 5.08E-10 1.83E-12 CCFRDOR S1NOCFTC S2NOCFTC 5.08E-10 1.83E-12 K3FTPI COND1S/C COND2S/C 4.20E-08 1.05E-08 S1MFTO S2NCCFTO S2NOCFTC 8.54E-06 2.10E-06 S2MFTO S1NCCFTO S1NOCFTC 2.05E-07 5.08E-08 K3FTPI S1NCCFTO S2NCCFTO 2.02E-07 5.02E-08 S2MFTO K3FTPI S1NCCFTO 2.02E-07 5.02E-08 CCFRDOR S2MFTO S1NOCFTC 5.08E-10 1.83E-12 S2MFTO COND1S/C COND1O/C 1.77E-06 4.39E-07 S1MFTO COND2S/C COND2O/C 4.25E-08 1.06E-08 K1FTDOR K2FTDOR K3FTPI 1.30E-11 1.78E-14 CCFRDOR COND1O/C COND2O/C 1.06E-10 3.84E-13 CCFRDOR S2MFTO COND1O/C 1.49E-09 5.39E-12 CCFRDOR S1MFTO COND2O/C 3.61E-11 1.30E-13 S1MFTO K3FTPI COND2S/C 1.43E-08 3.57E-09 CCFRDOR COND1O/C S2NOCFTC 1.49E-09 5.39E-12 CCFRDOR S1NOCFTC COND2O/C 3.61E-11 1.30E-13 S2MFTO K3FTPI COND1S/C 5.95E-07 1.48E-07 K3FTPI S1NCCFTO COND2S/C 1.43E-08 3.57E-09 K3FTPI COND1S/C S2NCCFTO 5.95E-07 1.48E-07 S2MFTO S1NCCFTO COND1O/C 6.02E-07 1.49E-07 S1MFTO COND2S/C S2NOCFTC 6.02E-07 1.49E-07 S1MFTO S2NCCFTO COND2O/C 6.02E-07 1.49E-07 S2MFTO COND1S/C S1NOCFTC 6.02E-07 1.49E-07 S1NCCFTO S2NCCFTO S1NOCFTC COND2O/C 1.02E-09 2.03E-10 S1NCCFTO S2NCCFTO COND1O/C S2NOCFTC 4.25E-08 8.40E-09 S1NCCFTO COND2S/C S1NOCFTC S2NOCFTC 1.02E-09 2.03E-10 COND1S/C S2NCCFTO S1NOCFTC S2NOCFTC 4.25E-08 8.40E-09 K1FTDOR K2FTDOR S2MFTO COND1O/C 1.37E-12 2.48E-15 K1FTDOR K2FTDOR S1MFTO COND2O/C 3.30E-14 6.00E-17 K1FTDOR K2FTDOR COND1O/C S2NOCFTC 1.37E-12 2.48E-15 K1FTDOR K2FTDOR S1NOCFTC COND2O/C 3.30E-14 6.00E-17 K1FTDOR K2FTDOR S1NOCFTC S2NOCFTC 4.65E-13 8.44E-16 COND1S/C COND2S/C S1NOCFTC S2NOCFTC 3.01E-09 5.98E-10 COND1S/C S2NCCFTO COND1O/C S2NOCFTC 1.25E-07 2.47E-08 COND1S/C S2NCCFTO S1NOCFTC COND2O/C 3.01E-09 5.98E-10 S1NCCFTO COND2S/C COND1O/C S2NOCFTC 3.01E-09 5.98E-10
C55
No. Events Frequency Probability 44 S1NCCFTO COND2S/C S1NOCFTC COND2O/C 7.23E-11 1.45E-11 45 S1NCCFTO S2NCCFTO COND1O/C COND2O/C 3.01E-09 5.98E-10 46 K1FTDOR K2FTDOR S1MFTO S2NOCFTC 4.65E-13 8.44E-16 47 K1FTDOR K2FTDOR S2MFTO S1NOCFTC 4.65E-13 8.44E-16 48 S1NCCFTO S2NCCFTO S1NOCFTC S2NOCFTC 1.45E-08 2.86E-09 49 K1FTDOR K2FTDOR COND1O/C COND2O/C 9.72E-14 1.77E-16 50 COND1S/C COND2S/C COND1O/C S2NOCFTC 8.84E-09 1.76E-09 51 COND1S/C COND2S/C S1NOCFTC COND2O/C 2.13E-10 4.25E-11 52 COND1S/C S2NCCFTO COND1O/C COND2O/C 8.84E-09 1.76E-09 53 S1NCCFTO COND2S/C COND1O/C COND2O/C 2.13E-10 4.25E-11 54 COND1S/C COND2S/C COND1O/C COND2O/C 6.25E-10 1.25E-10
C56
1 2 3 4 5 6 7 8 9 10 11 12 13 14
TABLE C15: CUTSET LISTING FOR TOP EVENT CCT14
Version 5.27 Date(dd-mm-yy): 29-08-01 Time: 15.53.27 Fault Tree File: G:\JOBS\WO\J\2614\LOGAN\WITH CCF\J2614_001_2LS_LOWCCF Top Event: CCT14 Freq: 1.34E-03 Prob: 4.50E-04
No. Events Frequency Probability CCFCSC 5.00E-05 2.50E-05 CCFRDOR 1.68E-05 4.60E-08 CCFSWM 1.70E-05 8.50E-06 CCFSFTO 1.70E-05 8.50E-06 S1MFTO S2MFTO 1.21E-04 3.98E-05 K1FTDOR K2FTDOR 1.55E-08 2.12E-11 S1NCCFTO S2MFTO 1.21E-04 3.98E-05 COND1S/C S2MFTO 3.56E-04 1.17E-04 S1MFTO S2NCCFTO 1.21E-04 3.98E-05 S1MFTO COND2S/C 8.50E-06 2.83E-06 S1NCCFTO S2NCCFTO 1.21E-04 3.98E-05 S1NCCFTO COND2S/C 8.50E-06 2.83E-06 COND1S/C S2NCCFTO 3.56E-04 1.17E-04 COND1S/C COND2S/C 2.50E-05 8.33E-06
C57
1 2 3 4 5 6 7 8 9 10 11 12 13 14
TABLE C16: CUTSET LISTING FOR TOP EVENT CCT15
Version 5.27 Date(dd-mm-yy): 29-08-01 Time: 15.53.51 Fault Tree File: G:\JOBS\WO\J\2614\LOGAN\WITH CCF\J2614_001_2LS_LOWCCF Top Event: CCT15 Freq: 1.34E-03 Prob: 4.50E-04
No. Events Frequency Probability CCFCSC 5.00E-05 2.50E-05 CCFRDOR 1.68E-05 4.60E-08 CCFSWM 1.70E-05 8.50E-06 CCFSFTO 1.70E-05 8.50E-06 S1MFTO S2MFTO 1.21E-04 3.98E-05 K2FTDOR K3FTDOR 1.55E-08 2.12E-11 S1NCCFTO S2MFTO 1.21E-04 3.98E-05 COND1S/C S2MFTO 3.56E-04 1.17E-04 S1MFTO S2NCCFTO 1.21E-04 3.98E-05 S1MFTO COND2S/C 8.50E-06 2.83E-06 S1NCCFTO S2NCCFTO 1.21E-04 3.98E-05 S1NCCFTO COND2S/C 8.50E-06 2.83E-06 COND1S/C S2NCCFTO 3.56E-04 1.17E-04 COND1S/C COND2S/C 2.50E-05 8.33E-06
C58
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43
TABLE C17: CUTSET LISTING FOR TOP EVENT CCT16
Version 5.27 Date(dd-mm-yy): 29-08-01 Time: 15.54.21 Fault Tree File: G:\JOBS\WO\J\2614\LOGAN\WITH CCF\J2614_001_2LS_LOWCCF Top Event: CCT16 Freq: 3.42E-04 Prob: 9.40E-07
No. Events Frequency Probability CCFSWMR 1.70E-05 4.66E-08 S1MFTOR K2FTDOR 1.57E-08 2.14E-11 S1MFTOR S2MFTOR 6.71E-07 9.19E-10 S1MFTOR S2NCCFTO 6.01E-05 1.64E-07 S2MFTOR S1NCCFTO 6.15E-05 1.68E-07 S2MFTOR K2FTDOR 6.63E-07 9.08E-10 CCFCOCR CCFCSC 1.26E-09 3.42E-12 S2NOFTCR K2FTDOR 6.63E-07 9.08E-10 CCFCOCR CCFSFTO 4.27E-10 1.16E-12 S1NOFTCR K2FTDOR 1.57E-08 2.14E-11 CCFSFTCR CCFCSC 4.27E-10 1.16E-12 K1FTPIR K2FTDOR 1.55E-08 2.12E-11 S1MFTOR CCFSFTO 1.45E-08 3.96E-11 S1MFTOR CCFCSC 4.27E-08 1.16E-10 S1MFTOR COND2S/C 4.27E-06 1.16E-08 S2MFTOR COND1S/C 1.81E-04 4.93E-07 S2MFTOR CCFSFTO 6.15E-07 1.68E-09 S2MFTOR CCFCSC 1.81E-06 4.93E-09 CCFSFTCR CCFSFTO 1.45E-10 3.96E-13 CON1O/CR CCFCSC 1.26E-07 3.42E-10 CON1O/CR CCFSFTO 4.27E-08 1.16E-10 CON2O/CR K2FTDOR 4.60E-08 6.31E-11 S2NOFTCR CCFSFTO 6.15E-07 1.68E-09 S2NOFTCR CCFCSC 1.81E-06 4.93E-09 CON2O/CR CCFCSC 1.26E-07 3.42E-10 CON2O/CR CCFSFTO 4.27E-08 1.16E-10 K1FTPIR CCFCSC 4.22E-08 1.15E-10 CON1O/CR K2FTDOR 4.60E-08 6.31E-11 S1NOFTCR CCFSFTO 1.45E-08 3.96E-11 S1NOFTCR CCFCSC 4.27E-08 1.16E-10 K1FTPIR CCFSFTO 1.44E-08 3.91E-11 CCFCOCR K2FTDOR 4.60E-10 6.31E-13 CCFSFTCR K2FTDOR 1.57E-10 2.14E-13 K1FTPIR S1NCCFTO COND2S/C 3.61E-09 1.30E-11 K1FTPIR COND1S/C S2NCCFTO 1.49E-07 5.39E-10 CCFCOCR S1NCCFTO S2NCCFTO 1.51E-09 5.46E-12 CCFSFTCR S1NCCFTO S2NCCFTO 5.14E-10 1.86E-12 S1NOFTCR S1NCCFTO COND2S/C 3.65E-09 1.32E-11 CON2O/CR COND1S/C S2NCCFTO 4.44E-07 1.61E-09 CON2O/CR S1NCCFTO COND2S/C 1.07E-08 3.88E-11 S2NOFTCR COND1S/C COND2S/C 4.55E-07 1.64E-09 S1NOFTCR COND1S/C S2NCCFTO 1.51E-07 5.46E-10 CON1O/CR S1NCCFTO S2NCCFTO 1.51E-07 5.46E-10
C59
No. Events Frequency Probability 44 CON1O/CR COND1S/C S2NCCFTO 4.44E-07 1.61E-09 45 CON1O/CR S1NCCFTO COND2S/C 1.07E-08 3.88E-11 46 S1NOFTCR COND1S/C COND2S/C 1.07E-08 3.88E-11 47 S2NOFTCR S1NCCFTO COND2S/C 1.55E-07 5.59E-10 48 S2NOFTCR COND1S/C S2NCCFTO 6.40E-06 2.31E-08 49 CCFSFTCR COND1S/C S2NCCFTO 1.51E-09 5.46E-12 50 CCFSFTCR S1NCCFTO COND2S/C 3.65E-11 1.32E-13 51 CCFCOCR COND1S/C S2NCCFTO 4.44E-09 1.61E-11 52 CCFCOCR S1NCCFTO COND2S/C 1.07E-10 3.88E-13 53 K1FTPIR COND1S/C COND2S/C 1.06E-08 3.84E-11 54 CON2O/CR S1NCCFTO S2NCCFTO 1.51E-07 5.46E-10 55 K1FTPIR S1NCCFTO S2NCCFTO 5.08E-08 1.83E-10 56 S1NOFTCR S1NCCFTO S2NCCFTO 5.14E-08 1.86E-10 57 S2NOFTCR S1NCCFTO S2NCCFTO 2.18E-06 7.86E-09 58 CON2O/CR COND1S/C COND2S/C 3.16E-08 1.14E-10 59 CON1O/CR COND1S/C COND2S/C 3.16E-08 1.14E-10 60 CCFSFTCR COND1S/C COND2S/C 1.07E-10 3.88E-13 61 CCFCOCR COND1S/C COND2S/C 3.16E-10 1.14E-12
C60
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43
TABLE C18: CUTSET LISTING FOR TOP EVENT CCT17
Version 5.27 Date(dd-mm-yy): 29-08-01 Time: 15.54.46 Fault Tree File: G:\JOBS\WO\J\2614\LOGAN\WITH CCF\J2614_001_2LS_LOWCCF Top Event: CCT17 Freq: 3.41E-04 Prob: 9.38E-07
No. Events Frequency Probability CCFSWMR 1.70E-05 4.66E-08 S1MFTOR CCFCSC 4.27E-08 1.16E-10 S1MFTOR CCFSFTO 1.45E-08 3.96E-11 S1MFTOR CCFRDOR 1.57E-10 2.14E-13 S1MFTOR S2NCCFTO 6.01E-05 1.64E-07 S1MFTOR S2MFTOR 6.71E-07 9.19E-10 CCFRDOR CCFCOCR 4.60E-12 6.31E-15 S2MFTOR CCFCSC 1.81E-06 4.93E-09 S2MFTOR CCFSFTO 6.15E-07 1.68E-09 S2MFTOR CCFRDOR 6.63E-09 9.08E-12 S2MFTOR S1NCCFTO 6.15E-05 1.68E-07 CCFRDOR CCFSFTCR 1.57E-12 2.14E-15 CCFCSC S2NOFTCR 1.81E-06 4.93E-09 CCFSFTO S2NOFTCR 6.15E-07 1.68E-09 CCFRDOR S2NOFTCR 6.63E-09 9.08E-12 CCFSFTO CCFCOCR 4.27E-10 1.16E-12 CCFSFTO CCFSFTCR 1.45E-10 3.96E-13 CCFCSC S1NOFTCR 4.27E-08 1.16E-10 CCFSFTO S1NOFTCR 1.45E-08 3.96E-11 CCFRDOR S1NOFTCR 1.57E-10 2.14E-13 CCFCSC CCFCOCR 1.26E-09 3.42E-12 CCFCSC CCFSFTCR 4.27E-10 1.16E-12 CCFCSC K1FTPIR 4.22E-08 1.15E-10 CCFSFTO K1FTPIR 1.44E-08 3.91E-11 CCFRDOR K1FTPIR 1.55E-10 2.12E-13 CCFRDOR CON1O/CR 4.60E-10 6.31E-13 CCFSFTO CON1O/CR 4.27E-08 1.16E-10 S1MFTOR COND2S/C 4.27E-06 1.16E-08 S2MFTOR COND1S/C 1.81E-04 4.93E-07 CCFCSC CON2O/CR 1.26E-07 3.42E-10 CCFSFTO CON2O/CR 4.27E-08 1.16E-10 CCFRDOR CON2O/CR 4.60E-10 6.31E-13 CCFCSC CON1O/CR 1.26E-07 3.42E-10 S2NOFTCR COND1S/C S2NCCFTO 6.40E-06 2.31E-08 S2NOFTCR S1NCCFTO COND2S/C 1.55E-07 5.59E-10 K2FTDOR K3FTDOR CON2O/CR 3.18E-13 2.90E-16 CON2O/CR S1NCCFTO S2NCCFTO 1.51E-07 5.46E-10 K2FTDOR K3FTDOR K1FTPIR 1.07E-13 9.75E-17 K1FTPIR S1NCCFTO S2NCCFTO 5.08E-08 1.83E-10 CON1O/CR S1NCCFTO S2NCCFTO 1.51E-07 5.46E-10 S1NOFTCR COND1S/C S2NCCFTO 1.51E-07 5.46E-10 S1NOFTCR S1NCCFTO COND2S/C 3.65E-09 1.32E-11 K2FTDOR K3FTDOR CON1O/CR 3.18E-13 2.90E-16
C61
No. Events Frequency Probability 44 K2FTDOR K3FTDOR S1NOFTCR 1.08E-13 9.87E-17 45 S1NOFTCR S1NCCFTO S2NCCFTO 5.14E-08 1.86E-10 46 K2FTDOR K3FTDOR S2NOFTCR 4.58E-12 4.18E-15 47 S2NOFTCR S1NCCFTO S2NCCFTO 2.18E-06 7.86E-09 48 S2MFTOR K2FTDOR K3FTDOR 4.58E-12 4.18E-15 49 S1MFTOR K2FTDOR K3FTDOR 1.08E-13 9.87E-17 50 CCFSFTCR S1NCCFTO S2NCCFTO 5.14E-10 1.86E-12 51 CCFCOCR S1NCCFTO S2NCCFTO 1.51E-09 5.46E-12 52 K1FTPIR COND1S/C S2NCCFTO 1.49E-07 5.39E-10 53 K1FTPIR S1NCCFTO COND2S/C 3.61E-09 1.30E-11 54 K2FTDOR K3FTDOR CCFSFTCR 1.08E-15 9.87E-19 55 K2FTDOR K3FTDOR CCFCOCR 3.18E-15 2.90E-18 56 CON2O/CR COND1S/C S2NCCFTO 4.44E-07 1.61E-09 57 CON2O/CR S1NCCFTO COND2S/C 1.07E-08 3.88E-11 58 S2NOFTCR COND1S/C COND2S/C 4.55E-07 1.64E-09 59 CON1O/CR COND1S/C S2NCCFTO 4.44E-07 1.61E-09 60 CON1O/CR S1NCCFTO COND2S/C 1.07E-08 3.88E-11 61 S1NOFTCR COND1S/C COND2S/C 1.07E-08 3.88E-11 62 CCFSFTCR COND1S/C S2NCCFTO 1.51E-09 5.46E-12 63 CCFSFTCR S1NCCFTO COND2S/C 3.65E-11 1.32E-13 64 CCFCOCR COND1S/C S2NCCFTO 4.44E-09 1.61E-11 65 CCFCOCR S1NCCFTO COND2S/C 1.07E-10 3.88E-13 66 K1FTPIR COND1S/C COND2S/C 1.06E-08 3.84E-11 67 CON2O/CR COND1S/C COND2S/C 3.16E-08 1.14E-10 68 CON1O/CR COND1S/C COND2S/C 3.16E-08 1.14E-10 69 CCFSFTCR COND1S/C COND2S/C 1.07E-10 3.88E-13 70 CCFCOCR COND1S/C COND2S/C 3.16E-10 1.14E-12
C62
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43
TABLE C19: CUTSET LISTING FOR TOP EVENT CCT18
Version 5.27 Date(dd-mm-yy): 29-08-01 Time:15.55.12 Fault Tree File: G:\JOBS\WO\J\2614\LOGAN\WITH CCF\J2614_001_2LS_LOWCCF Top Event: CCT18 Freq: 2.61E-04 Prob: 7.10E-07
No. Events Frequency Probability CCFSWMR 1.70E-05 4.66E-08 S1MFTOR CCFCSCR 4.66E-10 6.38E-13 S1MFTOR CCFSFTOR 1.58E-10 2.17E-13 S1MFTOR CCFRDOR 1.57E-10 2.14E-13 S1MFTOR S2NCFTOR 6.71E-07 9.19E-10 S1MFTOR S2MFTOR 6.71E-07 9.19E-10 CCFRDOR CCFCOCR 4.60E-12 6.31E-15 S2MFTOR CCFCSCR 1.97E-08 2.70E-11 S2MFTOR CCFSFTOR 6.71E-09 9.19E-12 S2MFTOR CCFRDOR 6.63E-09 9.08E-12 S2MFTOR S1NCCFTO 6.15E-05 1.68E-07 CCFRDOR CCFSFTCR 1.57E-12 2.14E-15 CCFCSCR S2NOFTCR 1.97E-08 2.70E-11 CCFSFTOR S2NOFTCR 6.71E-09 9.19E-12 CCFRDOR S2NOFTCR 6.63E-09 9.08E-12 CCFSFTOR CCFCOCR 4.66E-12 6.38E-15 CCFSFTOR CCFSFTCR 1.58E-12 2.17E-15 CCFCSCR S1NOFTCR 4.66E-10 6.38E-13 CCFSFTOR S1NOFTCR 1.58E-10 2.17E-13 CCFRDOR S1NOFTCR 1.57E-10 2.14E-13 CCFCSCR CCFCOCR 1.37E-11 1.88E-14 CCFCSCR CCFSFTCR 4.66E-12 6.38E-15 CCFCSCR K1FTPIR 4.60E-10 6.31E-13 CCFSFTOR K1FTPIR 1.57E-10 2.14E-13 CCFRDOR K1FTPIR 1.55E-10 2.12E-13 CCFRDOR CON1O/CR 4.60E-10 6.31E-13 CCFSFTOR CON1O/CR 4.66E-10 6.38E-13 S1MFTOR CON2S/CR 4.66E-08 6.38E-11 S2MFTOR COND1S/C 1.81E-04 4.93E-07 CCFCSCR CON2O/CR 1.37E-09 1.88E-12 CCFSFTOR CON2O/CR 4.66E-10 6.38E-13 CCFRDOR CON2O/CR 4.60E-10 6.31E-13 CCFCSCR CON1O/CR 1.37E-09 1.88E-12 S2NOFTCR COND1S/C S2NCFTOR 7.12E-08 9.73E-11 S2NOFTCR S1NCCFTO CON2S/CR 1.68E-09 2.30E-12 K3FTDOR K4FTDOR CON2O/CR 3.18E-13 2.90E-16 CON2O/CR S1NCCFTO S2NCFTOR 1.68E-09 2.30E-12 K3FTDOR K4FTDOR K1FTPIR 1.07E-13 9.75E-17 K1FTPIR S1NCCFTO S2NCFTOR 5.65E-10 7.72E-13 CON1O/CR S1NCCFTO S2NCFTOR 1.68E-09 2.30E-12 S1NOFTCR COND1S/C S2NCFTOR 1.68E-09 2.30E-12 S1NOFTCR S1NCCFTO CON2S/CR 3.97E-11 5.42E-14 K3FTDOR K4FTDOR CON1O/CR 3.18E-13 2.90E-16
C63
No. Events Frequency Probability 44 K3FTDOR K4FTDOR S1NOFTCR 1.08E-13 9.87E-17 45 S1NOFTCR S1NCCFTO S2NCFTOR 5.72E-10 7.81E-13 46 K3FTDOR K4FTDOR S2NOFTCR 4.58E-12 4.18E-15 47 S2NOFTCR S1NCCFTO S2NCFTOR 2.42E-08 3.31E-11 48 S2MFTOR K3FTDOR K4FTDOR 4.58E-12 4.18E-15 49 S1MFTOR K3FTDOR K4FTDOR 1.08E-13 9.87E-17 50 CCFSFTCR S1NCCFTO S2NCFTOR 5.72E-12 7.81E-15 51 CCFCOCR S1NCCFTO S2NCFTOR 1.68E-11 2.30E-14 52 K1FTPIR COND1S/C S2NCFTOR 1.66E-09 2.27E-12 53 K1FTPIR S1NCCFTO CON2S/CR 3.92E-11 5.36E-14 54 K3FTDOR K4FTDOR CCFSFTCR 1.08E-15 9.87E-19 55 K3FTDOR K4FTDOR CCFCOCR 3.18E-15 2.90E-18 56 CON2O/CR COND1S/C S2NCFTOR 4.94E-09 6.76E-12 57 CON2O/CR S1NCCFTO CON2S/CR 1.17E-10 1.60E-13 58 S2NOFTCR COND1S/C CON2S/CR 4.94E-09 6.76E-12 59 CON1O/CR COND1S/C S2NCFTOR 4.94E-09 6.76E-12 60 CON1O/CR S1NCCFTO CON2S/CR 1.17E-10 1.60E-13 61 S1NOFTCR COND1S/C CON2S/CR 1.17E-10 1.60E-13 62 CCFSFTCR COND1S/C S2NCFTOR 1.68E-11 2.30E-14 63 CCFSFTCR S1NCCFTO CON2S/CR 3.97E-13 5.42E-16 64 CCFCOCR COND1S/C S2NCFTOR 4.95E-11 6.76E-14 65 CCFCOCR S1NCCFTO CON2S/CR 1.17E-12 1.60E-15 66 K1FTPIR COND1S/C CON2S/CR 1.15E-10 1.58E-13 67 CON2O/CR COND1S/C CON2S/CR 3.43E-10 4.69E-13 68 CON1O/CR COND1S/C CON2S/CR 3.43E-10 4.69E-13 69 CCFSFTCR COND1S/C CON2S/CR 1.17E-12 1.60E-15 70 CCFCOCR COND1S/C CON2S/CR 3.43E-12 4.69E-15
C64
APP
EN
DIX
D:
FAIL
UR
E M
OD
ES
OF
EL
EC
TR
ICA
L /
ELE
CT
RO
NIC
CO
MPO
NE
NT
S FO
R L
OW
CO
MPL
EX
ITY
E/E
/PE
S A
ND
CO
NSE
RV
AT
IVE
VA
LU
ES
OF
FAIL
UR
E R
AT
E
D1
Com
pone
nt
Tot
al F
ailu
re
Rat
e (p
er 1
06 hou
rs)
Failu
re M
ode
Failu
re M
ode
Rat
io %
Sw
itch
with
pos
itive
ope
ning
on
dem
and
e.g.
pus
h bu
tton,
em
erge
ncy
stop
dev
ice,
pos
ition
switc
hes,
cam
ope
rate
d, se
lect
or sw
itche
s. 1
Con
tact
s will
not
ope
n*
20
Con
tact
s will
not
clo
se
80
Elec
trom
echa
nica
l pos
ition
switc
h, li
mit
switc
h, m
anua
lly
oper
ated
switc
h et
c. (n
ot p
ositi
vely
ope
ning
on
dem
and)
30
C
onta
cts w
ill n
ot o
pen
50
Con
tact
s will
not
clo
se
50
Rel
ay
0.4
All
cont
acts
rem
ain
in th
e en
ergi
sed
posi
tion
whe
n th
e co
il is
de-
ener
gise
d 25
All
cont
acts
rem
ain
in th
e de
-ene
rgis
ed
posi
tion
whe
n th
e co
il is
ene
rgis
ed
25
Con
tact
s will
not
ope
n 10
C
onta
cts w
ill n
ot c
lose
10
Si
mul
tane
ous s
hort
circ
uit b
etw
een
thre
eco
ntac
ts o
f a c
hang
e-ov
er c
onta
ct*
10
Sim
ulta
neou
s clo
sing
of n
orm
ally
ope
n an
d no
rmal
ly c
lose
d co
ntac
ts*
10
Shor
t circ
uit b
etw
een
two
pairs
of c
onta
cts
and/
or b
etw
een
cont
acts
and
coi
l ter
min
al*
10
Circ
uit B
reak
er, D
iffer
entia
l Circ
uit B
reak
er, R
esid
ual
Cur
rent
Dev
ice
12
All
cont
acts
rem
ain
in th
e en
ergi
sed
posi
tion
whe
n th
e co
il is
de-
ener
gise
d 25
All
cont
acts
rem
ain
in th
e de
-ene
rgis
ed
posi
tion
whe
n th
e co
il is
ene
rgis
ed
25
Con
tact
s will
not
ope
n 10
C
onta
cts w
ill n
ot c
lose
10
Si
mul
tane
ous s
hort
circ
uit b
etw
een
thre
e 10
Com
pone
nt
Tot
al F
ailu
re
Rat
e (p
er 1
06 hou
rs)
Failu
re M
ode
Failu
re M
ode
Rat
io %
co
ntac
ts o
f a c
hang
e-ov
er c
onta
ct*
Sim
ulta
neou
s clo
sing
of n
orm
ally
ope
n an
d no
rmal
ly c
lose
d co
ntac
ts*
10
Shor
t circ
uit b
etw
een
two
pairs
of c
onta
cts
and/
or b
etw
een
cont
acts
and
coi
l ter
min
al*
10
Con
tact
or
1.2
All
cont
acts
rem
ain
in th
e en
ergi
sed
posi
tion
whe
n th
e co
il is
de-
ener
gise
d 25
All
cont
acts
rem
ain
in th
e de
-ene
rgis
ed
posi
tion
whe
n th
e co
il is
ene
rgis
ed
25
Con
tact
s will
not
ope
n 10
C
onta
cts w
ill n
ot c
lose
10
Si
mul
tane
ous s
hort
circ
uit b
etw
een
thre
eco
ntac
ts o
f a c
hang
e-ov
er c
onta
ct*
10
Sim
ulta
neou
s clo
sing
of n
orm
ally
ope
n an
d no
rmal
ly c
lose
d co
ntac
ts*
10
Shor
t circ
uit b
etw
een
two
pairs
of c
onta
cts
and/
or b
etw
een
cont
acts
and
coi
l ter
min
al*
10
Fuse
0.
02
Fails
to b
low
(sho
rt ci
rcui
t) 10
O
pen
Circ
uit
90
Prox
imity
switc
h 10
Pe
rman
ently
low
resi
stan
ce a
t out
put
25
Perm
anen
tly h
igh
resi
stan
ce a
t out
put
25
Inte
rrup
tion
in p
ower
supp
ly
30
No
oper
atio
n of
switc
h du
e to
mec
hani
cal
failu
re*
10
Sim
ulta
neou
s sho
rt ci
rcui
t bet
wee
n th
ree
term
inal
s of c
hang
eove
r con
tact
s*.
10
Tem
pera
ture
switc
h 25
C
onta
cts w
ill n
ot c
lose
30
C
onta
cts w
ill n
ot o
pen*
10
Sh
ort c
ircui
ts b
etw
een
adja
cent
con
tact
s*
10
Sim
ulta
neou
s sho
rt ci
rcui
t bet
wee
n th
ree
term
inal
s of c
hang
e-ov
er c
onta
cts*
10
D2
Com
pone
nt
Tot
al F
ailu
re
Rat
e (p
er 1
06 hou
rs)
Failu
re M
ode
Failu
re M
ode
Rat
io %
Fa
ulty
sens
or
20
Cha
nge
of th
e de
tect
ion
or o
utpu
t ch
arac
teris
tic
20
Pres
sure
switc
h 11
0 C
onta
cts w
ill n
ot c
lose
30
C
onta
cts w
ill n
ot o
pen*
10
Sh
ort c
ircui
ts b
etw
een
adja
cent
con
tact
s*
10
Sim
ulta
neou
s sho
rt ci
rcui
t bet
wee
n th
ree
term
inal
s of c
hang
e-ov
er c
onta
cts*
10
Faul
ty se
nsor
20
C
hang
e of
the
dete
ctio
n or
out
put
char
acte
ristic
20
Sole
noid
val
ve
3 D
oes n
ot e
nerg
ise
3.4
Doe
s not
de-
ener
gise
17
.3
Cha
nge
of sw
itchi
ng ti
mes
* 3.
4 N
on-s
witc
hing
(stic
king
in th
e en
d or
zer
o po
sitio
n) o
r inc
ompl
ete
switc
hing
(stic
king
in
a ra
ndom
inte
rmed
iate
pos
ition
)*Sp
onta
neou
s cha
nge
of th
e in
itial
sw
itchi
ng p
ositi
on (w
ithou
t an
inpu
t si
gnal
)*
Le
akag
e*
65.6
C
hang
e in
the
leak
age
flow
rate
ove
r a
long
per
iod
of ti
me
Bur
stin
g of
the
valv
e ho
usin
g or
bre
akag
e of
the
mov
ing
com
pone
nt(s
) as w
ell a
s br
eaka
ge /
frac
ture
of t
he m
ount
ing
or
hous
ing
scre
ws*
Fo
r ser
vo a
nd p
ropo
rtion
al v
alve
s:
pneu
mat
ic /
hydr
aulic
faul
ts w
hich
cau
se
unco
ntro
lled
beha
viou
r.Tr
ansf
orm
er
2 O
pen
circ
uit o
f ind
ivid
ual w
indi
ng
70
D3
Com
pone
nt
Tot
al F
ailu
re
Rat
e (p
er 1
06 hou
rs)
Failu
re M
ode
Failu
re M
ode
Rat
io %
Sh
ort c
ircui
t bet
wee
n di
ffer
ent w
indi
ngs*
10
Sh
ort c
ircui
t in
one
win
ding
* 10
C
hang
e in
eff
ectiv
e tu
rns r
atio
* 10
Indu
ctan
ces
0.00
1 O
pen
circ
uit
80
Shor
t circ
uit*
10
R
ando
m c
hang
e of
val
ue.
10
Res
isto
rs
0.2
Ope
n ci
rcui
t 80
Sh
ort c
ircui
t*
10
Ran
dom
cha
nge
of v
alue
. 10
R
esis
tor N
etw
orks
0.
1 O
pen
circ
uit
70
Shor
t circ
uit
10
Shor
t circ
uit b
etw
een
any
conn
ectio
ns.
10
Ran
dom
cha
nge
of v
alue
. 10
Po
tent
iom
eter
s 0.
2 O
pen
circ
uit o
f ind
ivid
ual c
onne
ctio
n 70
Sh
ort c
ircui
t bet
wee
n al
l con
nect
ions
10
Sh
ort c
ircui
t bet
wee
n an
y tw
o co
nnec
tions
. 10
R
ando
m c
hang
e of
val
ue.
10
Cap
acito
rs
0.3
Ope
n ci
rcui
t 40
Sh
ort c
ircui
t 40
R
ando
m c
hang
e of
val
ue.
10
Cha
ngin
g va
lue
tan a
10
D
iscr
ete
sem
icon
duct
ors
0.06
O
pen
circ
uit o
f any
con
nect
ion
25
Shor
t circ
uit b
etw
een
any
two
conn
ectio
ns
25
Shor
t circ
uit b
etw
een
all c
onne
ctio
ns
25
Cha
nge
in c
hara
cter
istic
s 25
N
on-p
rogr
amm
able
inte
grat
ed c
ircui
ts (n
on-c
ompl
ex i.
e.
less
than
100
0 ga
tes a
nd/o
r les
s tha
n 24
pins
, ope
ratio
nal
ampl
ifier
s, sh
ift re
gist
ers,
and
hybr
id m
odul
es)
0.3
Ope
n ci
rcui
t of a
ny c
onne
ctio
n 20
Shor
t circ
uit b
etw
een
any
two
conn
ectio
ns
20
“Stu
ck a
t” fa
ults
20
D4
D5
Com
pone
nt
Tot
al F
ailu
re
Rat
e (p
er 1
06 hou
rs)
Failu
re M
ode
Failu
re M
ode
Rat
io %
Pa
rasi
tic o
scill
atio
n of
out
puts
20
C
hang
ing
valu
es (e
.g. i
nput
/out
put v
olta
ge
of a
nalo
gue
devi
ce)
20
Opt
o-co
uple
rs
0.6
Ope
n ci
rcui
t of i
ndiv
idua
l con
nect
ion
30
Shor
t circ
uit b
etw
een
any
two
inpu
t co
nnec
tions
30
Shor
t circ
uit b
etw
een
any
two
outp
ut
conn
ectio
ns
30
Shor
t circ
uit b
etw
een
any
two
conn
ectio
ns
of in
put a
nd o
utpu
t*
10
Plug
and
sock
et, m
ulti-
pin
conn
ecto
r 0.
4 pe
r act
ive
cont
act
Shor
t circ
uit b
etw
een
any
two
adja
cent
pi
ns*
10
Shor
t circ
uit o
f any
con
duct
or to
an
expo
sed
cond
uctiv
e pa
rt.
10
Ope
n ci
rcui
t of i
ndiv
idua
l con
nect
or p
ins
80
Term
inal
blo
ck
0.12
per
act
ive
cont
act
Shor
t circ
uit b
etw
een
adja
cent
term
inal
s*
10
Ope
n ci
rcui
t of i
ndiv
idua
l ter
min
als
90
Not
es.
1)
Failu
re m
odes
indi
cate
d by
an
aste
risk
may
be
omitt
ed fr
om th
e fa
ilure
rate
cal
cula
tion
if th
e co
nditi
ons o
f Tab
le D
.5 o
f prE
N95
4-2
are
met
. If
all p
oten
tially
dan
gero
us fa
ilure
mod
es o
f a c
ompo
nent
are
exc
lude
d on
thes
e gr
ound
s, th
e co
mpo
nent
nee
d no
t be
take
n in
to a
ccou
nt.
2)
Elec
trica
l fai
lure
mod
es ta
ken
from
Tab
les D
.5 o
f prE
N95
4-2.
Mec
hani
cal f
ailu
re m
odes
(whe
re a
pplic
able
) are
take
n fr
om A
nnex
es A
, B a
nd
C o
f prE
N95
4-2.
Printed and published by the Health and Safety ExecutiveC30 1/98
Printed and published by the Health and Safety Executive C1.25 10/02
ISBN 0-7176-2576-1
RR 029
780717625765£20.00 9